The shift from the Cold War to a new operational environment is well known to Michael Assante, chief security officer for the North American Electric Reliability Corporation (NERC), who was a young officer in Naval intelligence.
"There was a known security rule set" in the Cold War, he said at a recent panel discussion at the International Spy Museum in Washington, D.C., held to draw attention to the growing dangers online as National Cybersecurity Awareness Month drew to a close.
"We knew and expected behaviors. We could calculate escalation. We took this into any account when we planned any action."
When cyberdefenses and communications entered the military, it was a "force multiplier," said Assante, who as chief security officer at NERC is charged with securing the electric grid. "We appreciated what it gave us. What we didn't realize was that cyber would be the thing that destroyed the rules of order."
Now, when there's a attack, determining what entity was responsible for the cybersecurity threat and how defenders should respond offers neither certainties nor clear lines of action. "We need to both think about how we plan the system so that it's reliable and how to protect that system," he said. "The cybersecurity challenge is one of the most concerning that faces North America."
The denial-of-service attacks against U.S. government sites in July were a time of "known unknowns. In the new world of cyber, it's an issue of 'unknown unknowns,'" he said, appropriating a line from former Secretary of Defense Donald Rumsfeld.
"2006 was a turning point in the cybersecurity world," said Assante. "We saw a stratification and specialization in the hacker world. It means a new problem set. It used to be one or two individuals. Now you have certain organizations which would specialize in vulnerabilities, others in weapons. The challenge to protecting infrastructure today is to understand what is in the realm of the possible."
That's especially true when it comes to securing the electric grid. "We're facing a new 21st-century grid -- the smart grid," he said. "For the first time, we're going to deploy it across the entire system, including the distribution system."
Addressing cybersecurity threats presents new challenges to utility companies and security executives. Now, for the first time, cybersecurity is being regulated. "The industry has said that we should have mandatory standards," Assante said. Those standards are now being enforced by NERC.
FISMA reform proposed
NERC compliance isn't the only area where cybersecurity threats are a concern. The federal government is moving on a number of fronts, including last month when the Department of Homeland Security opened a new unified cybersecurity center in Virginia. And in testimony before Congress last month, U.S. CIO Vivek Kundra said the White House will create a "cybersecurity dashboard," to be launched next spring. The project will be similar to the tool Kundra created for Data.gov.
The cybersecurity challenge is one of the most concerning that faces North America.
Michael Assante, chief security officer, North American Electric Reliability Corp.
"Just as the IT dashboard took us from a static, paper-based environment to a dynamic digital environment, the new cybersecurity dashboard will provide the government with a real-time view of threats facing us and our vulnerabilities," Kundra said.
The dashboard may be matched by reforms to the Federal Information Security Management Act (FISMA). Kundra said in his testimony that when FISMA was first enacted, the metrics "were lagging indicators focused on compliance rather than outcomes."
That issue was at the heart of the introduction of the Information and Communications Enhancement, or ICE Act, by Sen. Thomas Carper (D-Del.) earlier this year, which proposed a restructuring of cybersecurity rules.
The costs of FISMA reporting are also at issue. Carper said the certification and accreditation process required by FISMA costs $1.3 billion annually, along with another $1 billion each year for auditing FISMA compliance. Carper estimated the total spent on FISMA compliance at about $40 billion since its enactment in 2002. Automation may reduce those costs.
Let us know what you think about the story; email firstname.lastname@example.org.