Report: Critical infrastructure is a frequent target for cyberattacks

The majority of information technology and security executives at energy, transportation and other companies with a role in critical infrastructure say their computer networks have been infiltrated, according to a new study from a public policy research group.

According to a report released on Thursday by the Center for Strategic and International Studies and commissioned by Santa Clara, Calif.-based IT security firm McAfee Inc., 54 percent of about 600 executives surveyed worldwide said they had been subject to "stealthy infiltration" by high-level adversaries, and 59 percent believed representatives of foreign governments had been involved in the attacks.

"What's particularly striking is that when you give security and IT executives an opportunity to talk about attacks with a guarantee of anonymity, they reveal a shocking level of information," said report co-author Stewart Baker, a distinguished visiting fellow at CSIS and partner with law firm Steptoe & Johnson.

The types of intrusion varied, but included virus and malware infection and denial-of-service attacks that bombard Web sites with heavy traffic in an effort to force them to shut down.

"The networks of the companies and other enterprises that own and operate critical infrastructures worldwide are under frequent large-scale attacks," said Shaun Waterman, writer and researcher at CSIS and co-author of the report. "You could describe what we're facing now as a cyber cold war, but to the respondents to this survey the cyber war has already started."

Nearly one-third of those surveyed described their sectors as either "not at all prepared" or "not very prepared" to deal with breaches, and only 37 percent of respondents were confident their government was equipped to deliver sector-specific services in the face of a major cyberattack, according to the report.

"A significant majority -- 58 percent -- also believe that regulation by the government had improved their security" and sharpened policy, Waterman said.

Despite a number of reported cyberattacks in recent years, 44 percent of respondents saw the United States as a model for cybersecurity, CSIS found, in part due to high-profile programs of government outreach to critical infrastructure owners and operators. At the same time, 50 percent identified the United States as among the most vulnerable countries to infiltration of computer networks.

Respondents pointed to two common challenges for improving cybersecurity for critical infrastructure sectors: modifying old structures and organizations to deal with cyber threats, and finding useful ways to share sensitive information about threats and vulnerabilities with the owners and operators.

"Information sharing and partnership are themes that emerged as significant for how companies think about and address threats," Waterman said.