While some progress has been made with standards at both the DHS and industry groups such as the NERC, some argue that government procurement policy could be used to drive higher security standards from manufacturers of hardware and software used to operate critical infrastructure. Today, no such policy exists across all government agencies.
"Government would be better off using its buying power to drive higher levels of security than trying to legislate higher levels of security," argues Pescatore. But the federal government doesn't require suppliers to meet a consistent set of security standards across all agencies.
Even basic changes in contract terms would help, says Schmidt. "There's a belief held by me and others in the West Wing that there's nothing to preclude one from writing a contract today that says if you are providing IT services to the government you must have state-of-the-art cybersecurity protections in place. You must have mechanisms in place to notify the government of any intrusions, and you must have the ability to disconnect networks," he says.
But government procurement policy's influence on standards can go only so far. "The government isn't buying turbines" and control systems for critical infrastructure, says Lewis.
When it comes to shutting down attacks, faster reaction times are key, says Bejtlich. "Attackers are always going to find a way in, so you need to have skilled people who can conduct rapid and accurate detection and containment," he says. For high-end threats, he adds, that's the only effective countermeasure. Analysts need high visibility into the host systems, Bejtlich says, and the network and containment should be achieved within one hour of intrusion.
Perhaps the toughest challenge will be creating the policies and fostering the trust required to encourage government and private industry to share what they know more openly. The government not only needs to pass legislation that provides the incentives and protections that critical infrastructure businesses need to share information on cyberthreats, but it also needs to push the law enforcement, military and intelligence communities to open up. For example, if the DOD is planning a cyberattack abroad against a type of critical infrastructure that's also used in the U.S., should information on the weakness being exploited be shared with U.S. companies so they can defend against counterattacks?
"There is a need for American industry to be plugged into some of the most secretive elements of the U.S. government -- people who can advise them in a realistic way of what it is that they need to be concerned about," says Hayden. Risks must be taken on both sides so everyone has a consistent view of the threats and what's going on out there.
One way to do that is to share some classified information with selected representatives from private industry. The House of Representatives recently passed an intelligence bill, the Cyber Intelligence Sharing and Protection Act, which would give security clearance to officials of critical industry operators. But the bill has been widely criticized by privacy groups, which say it's too broad. Given the current political climate, Hayden says he expects the bill to die in the Senate.
Information sharing helps, and standards form a baseline for protection, but ultimately, every critical infrastructure provider must customize and differentiate its security strategy, Amoroso says. "Right now, every business has exactly the same cybersecurity defense, usually dictated by some auditor," he says. But as in football, you can't win using just the standard defense. A good offense will find a way around it. "You've got to mix it up," Amoroso says. "You don't tell the other guys what you're doing."
Next: Timeline: Critical infrastructure under attack
Read more about Security in Computerworld's Security Topic Center.
Free Insider GuideCopyright © 1994 - 2013 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
