New York Blackouts -- Deja Vu?
Because our critical infrastructure is so completely integrated, with the power out for even a day or two, both food and water supply soon fail. Transportation systems would be at a standstill. Wastewater could not be pumped away... In time natural gas pressure would decline... communications would be spotty or non-existent... Work, jobs, employment, business and production would be stopped... Marshal Law would likely follow, along with emergency food and water supply relief... In time, the power will start to come back.
Yesterday, the Obama Administration held a cybersecurity demo in the Senate that simulated an attack on the New York City power grid. More than 30 Senators attended. The quote above, however, is not from that event. It is a quote from testimony given by Paul Gilbert, representing the National Academies, at a House Homeland Security Committee hearing entitled "Implications of Power Blackouts on America's Cyber Networks and Critical Infrastructure." That hearing was nine years ago -- in September 2003.
As I pulled the witness testimonies from that hearing last night, I realized how little has changed over the last nine years. The current debates in Congress on how to tackle cybersecurity are not dissimilar to the debates that were happening almost a decade ago.
Compare snippets from the various testimonies during the 2003 hearing with quotes and commentaries from today's debate on cybersecurity:
2003: Testimony of Peter Orszag (who was then a Senior Fellow at Brookings): The general conclusion is that we can't just "leave it up to the market" in protecting ourselves against terrorist attacks. The market has an important role to play, but government intervention in some form and in some markets will be necessary to fashion the appropriate response to the threat of terrorism.
2012: Politico reports on March 7: GOP lawmakers and executives from ISPs, including AT&T and CenturyLink, argued during an [Energy & Commerce] Communications and Technology Subcommittee hearing on cybersecurity Wednesday that imposing new regulations on the private sector not only won't prevent cyberattacks, but may hinder industry's own security efforts.
2003: Testimony of Kenneth Watson, President and Chairman, Partnership for Critical Infrastructure Security: In many critical infrastructure industries, CEOS and other executives are not aware of the role of the sector coordinator, do not know who their coordinator is, and use other means to coordinate in their critical infrastructure assurance actions. Industry sectors are neither homogeneous nor hierarchical, but in the rapid-paced, complex world of critical infrastructure assurance, single belly-buttons are absolutely needed to coordinate actions within and across critical sectors.
2012: Letter from NTIA, US Telecom and CTIA to House and Senator Leadership: Effective cybersecurity detection and deterrence also requires the ongoing sharing of threat information between government and infrastructure providers. Legislation that removes the current legal barriers to information sharing and establishes the appropriate safeguards for the use of such information would greatly improve cybersecurity.
2003: Testimony of Karl Rauscher, Founder and President, Wireless Emergency Response Team: The President has called on the people to be volunteers. In addition to soup kitchens and mentoring programs, critical infrastructure technology experts have figured out what they can "do for their country" in these anxious times. There are countless individuals who give of their vacation time, evenings and weekends because of their sense of duty and love for this country. They develop Best Practices and standards, conduct research, provide explanations to government officials and are on call 24 by 7 for the next crisis. Industry-Government partnerships are supported by significant volunteer effort and are highly effective.
2012: Testimony before the Communications and Technology Subcommittee, CenturyLink Chief Security Officer David Mahon: We strongly caution against a traditional regulatory approach based on government mandates or performance requirements. Because our network is the one central asset to our business, CenturyLink and our industry peers already have the strongest commercial incentives to invest in and maintain robust cybersecurity.
2003: Testimony of Larry Mefford, Executive Assistant Director, FBI: Terrorists could choose a variety of means to attack the electrical power grids if they choose to do so, ranging from blowing up power wire pylons to major attacks against conventional or nuclear power plants. We defer to DHS, however, for an assessment of the vulnerabilities of the electrical power system and the necessary responses to damage to various types of power facilities.
2012: Quote of Eric Rosenbach, deputy assistant secretary of Defense for Cyber Policy in the Department of Defense in Wired magazine: Obviously, there are amazing resources at NSA, a lot of magic that goes on there. But it's almost certainly not the right approach for the United States of America to have a foreign intelligence focus on domestic networks, doing something that throughout history has been a domestic function.
2003: Testimony of John McCarthy, Director the Critical Infrastructure Protection Project: The Blackout experience highlights our nation's serious problems with infrastructure, including poor comprehension of our vulnerabilities and lack of awareness or preparedness for the interdependencies of infrastructures. The Blackout stresses the need to further identify, map and define our critical assets and properly assess their vulnerabilities - as have 9/11, the first bombing at the World Trade Center, Y2K, and numerous debilitating cyber attacks.
2012: Op-ed written by op-ed was by Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine), John D. Rockefeller IV, (D-W.Va.), and Dianne Feinstein (D-Calif.) for CNet: September 11 reinforced the need to stay one step ahead of those who would do us harm. Now we must apply those lessons to cybersecurity. If we fail to act, we only increase the likelihood that we will have to cope with the aftermath of a massive cyber attack.
So what can we conclude from this comparison? One, that the issue of cybersecurity is not new and has been debated for years, if not decades. Everyone seems to agree that something needs to be done, but there has been little progress made in changing the legislative landscape governing cybersecurity. Two, information sharing is important but what mix of regulatory versus incentives has not been answered. Three, DHS is probably the best organization to lead the government's cyber efforts (in non-military space). Lastly, we can determine that threats to critical infrastructure are real and Members of Congress listen when threats are discussed. How they want to respond is the question that is quickly turning partisan and overly-political on a topic that is not controversial.