Official calls securing critical infrastructure against cyberattack impractical

Securing the nation's power grid and other computer systems that operate the nation's critical infrastructure against cyberattack is unrealistic, because companies cannot afford to check if suppliers have provided trustworthy products, said an intelligence official from the Energy Department on Thursday.

"If you give me influence or control of your hardware or software supply chain, I control your systems," said Bruce Held, director of intelligence and counterintelligence with Energy. "We're going to have to develop strategies [for managing the supply chain] that are consistent with [the assets] that we're trying to protect."

Systems that pose a national threat if compromised, including military command-and-control systems and networks managing weapons, must be built using equipment from trusted companies. The hardware and software must be checked for security vulnerabilities and possible malicious code that could cause problems, Held said. To vet the products would cost more than what private sector organizations likely can afford, he added.

"Cost considerations are going to make a security strategy impractical" for computer systems that are critically important but owned and operated by the private sector, including those that support the power grid, and the transportation and financial sectors, and other industries that make up the nation's critical infrastructure, Held said.

"We're going to have to think more about protection strategies, with an understanding that there will be residual risk," he said. "We never secured New York City from Soviet nuclear attack [during the Cold War], but we protected it very well. We need to start thinking along those lines."

Held suggested government and companies diversify the pool of suppliers that provide the computer hardware and software that help operate the critical infrastructure. "That will give greater security than [being] dependent upon one country that is a potential adversary," or could be more easily identified and targeted by potential attackers, he said.

Organizations also have to be more diligent about procuring technology from authorized suppliers. "Behavior is a problem," said Guy Copeland, chairman of the Homeland Security Department's cross-sector cybersecurity working group.

Public and private sector organizations should "not be procuring [computer] components and applications from gray market sources, where you can't vouch certifiably that the [product] came from the original manufacturer," he said. "Unfortunately, that happens far too much."