Recent reports of cyber attacks on Google and other American companies have raised concerns about protecting the critical infrastructure of a company or a country against a coordinated, targeted cyber attack. The recent cyber attack on Google used exploits targeting zero-day client side vulnerabilities to insert a backdoor trojan called HydraQ into the corporate networks. The attack has drawn much attention to the viability of the United States’ critical infrastructure to ward off similar attacks in the future, perhaps on a broader scale. The concern around this issue is warranted, justified and echoed throughout the industry.
It is important to bear in mind that there are steps that can be taken right now by Congress – steps that have the support and involvement of the cyber security industry and other private sectors — to address some of these concerns and further secure the United States’ critical infrastructure:
- Pass the Federal Information Security Management Act Reform bill, authored by Sen. Tom Carper (D-DE), which updates the cyber security policies and processes for government agencies to follow that was originally passed in 2002 and is badly in need of being updated to respond to today’s threats.
- Pass the Critical Electric Infrastructure Act – legislation that provides guidelines and policies needed to establish a base form of security to protect the nation’s electronic grid from cyber attack.
- Pass legislation championed by Sen. Patrick Leahy, (D-VT) and Rep. Bobby Rush, (D-IL) stipulating a process for entities to notify individuals if their information has been compromised. 85 percent of the nation’s critical infrastructure is privately owned. By establishing a framework of minimum security precautions that companies must take to protect customer information — such as the use of encryption — the bill contributes to the overall security of the nation’s critical infrastructure.
Finally, with the appointment by the Obama Administration of Howard Schmidt as the nation’s cyber security coordinator, the White House should waste no time in implementing the findings of the 60-day Cyber Security Review to help secure the nation’s critical infrastructure. We support the Administration’s lead to establish a new partnership between the public and private sectors to increase coordination and improve the exchange of information on the threat landscape. The partnership between the private and public sector should also extend to more funding for the research and development of cyber security technologies and processes. The report also stipulates a greater emphasis also needs to be placed on efforts to promote better cyber security education and awareness. The report also identifies the end user is a key factor in reducing risk and protecting against threats. Better practices online as well as the use of security products like, anti-virus, anti-spam and anti- phishing can play a significant role in reducing cyber threats. Finally, the US needs to take a strong leadership position with other nations to improve cooperation on cyber crime prosecution and also improve protection against threats to the critical infrastructure.
While security is an integral step to protect networks, it must be combined with a means to organize, prioritize, and store information seamlessly for enterprises and governments to truly withstand today’s cyber attacks.
These are steps to improve the protection of critical infrastructure should be emulated around the world as cyber security is a global issue affecting the critical infrastructures of every country.
Francis deSouza Sr. Vice President, Symantec Enterprise Security Group