Protecting critical infrastructure organizations against cyber attacks is a perpetual topic of conversation in Washington. Over the past few years, President Barack Obama along with various senators and congressmen have proposed several cybersecurity programs. They include the NIST (National Institute of Standards and Technology) Cybersecurity Framework and an increase in threat intelligence sharing between critical infrastructure organizations, federal intelligence, and law enforcement agencies in order to bolster cybersecurity in critical infrastructure segments.
While Washington still ponders some type of solution, cybersecurity discussions about critical infrastructure are nothing new. Recognizing a national security vulnerability, President Bill Clinton first addressed critical infrastructure protection (CIP) with Presidential Decision Directive 63 (PDD-63) in 1998. Soon thereafter, Deputy Defense Secretary John Hamre cautioned Congress about CIP by warning of a potential “cyber Pearl Harbor.” Hamre stated that a devastating cyber-attack, “… is not going to be against Navy ships sitting in a Navy shipyard. It is going to be against commercial infrastructure.” Years later, in October 2012, similar alarms were sounded, when Defense Secretary Leon Panetta also warned of a “cyber-Pearl Harbor” against critical infrastructure.
Over the course of more than 20 years and through several presidential administrations, the U.S. government has developed an assortment of programs intended to bolster cybersecurity in critical infrastructure organizations. As American taxpayers, it’s certainly fair to ask whether these programs are effective or whether the government should be doing more to help. To find answers to these questions, the Enterprise Strategy Group (ESG) surveyed 303 cybersecurity professionals working at critical infrastructure organizations to gather their opinions on U.S. cybersecurity policies, programs, and strategies.
ESG’s first question was rather basic. The cybersecurity professionals were asked their opinions on the U.S. government’s overall cybersecurity strategy. The results were mixed at best.
- 22 percent believe the government’s strategy is extremely clear and thorough
- 47 percent believe the government’s strategy is somewhat clear and thorough
- 25 percent believe the government’s strategy is somewhat unclear and not very thorough
- 5 percent believe the government’s strategy is extremely unclear and not at all thorough
- 2 percent responded, “don’t know.”
One could easily conclude that the data resembles a normal curve in which the majority of respondents believe the U.S. government’s cybersecurity strategy is somewhat clear, while the rest of the survey population is distributed between those who believe the strategy is very clear and those who say it is unclear. However, ESG views the results somewhat differently. In spite of over 20 years of cybersecurity discussions, many security professionals remain uncertain about the government’s plans. Clearly, the government needs to clarify its mission, its objectives, and its timeline with cybersecurity professionals to gain their trust and enlist their support for public/private programs.
While critical infrastructure security professionals may be unsure about the government’s strategy, the ESG research clearly demonstrates that they would like to see Washington become more proactive with cybersecurity programs and support. Nearly half (45 percent) of critical infrastructure organizations believe the government should be significantly more active with cybersecurity strategies and defenses, while 38 percent believe the government should be somewhat more active.
Finally, ESG asked the security professionals what types of cybersecurity actions the government should take. Nearly half (47 percent) believe Washington should create better ways to share security information with the private sector. This aligns well with the executive order signed by President Obama in February 2015, urging companies to share cybersecurity threat information with the federal government and one another.
Cybersecurity professionals have numerous other suggestions as well. Some of them could be considered enticements. For example, 37 percent suggest more funding for cybersecurity education programs while 36 percent would like more incentives, such as tax breaks or matching funds for organizations that invest in cybersecurity. Alternatively, many of the respondents recommend more punitive or legislative measures—44 percent believe the federal government should create a “black list” of vendors with poor product security—the equivalent of a scarlet letter. Forty percent say the federal government should limit its IT purchasing to vendors that display a superior level of security, and 40 percent endorse more stringent regulations, such as PCI DSS or the institution of laws with higher fines for data breaches.
The ESG research presents a clear and compelling picture: Cybersecurity professionals working at critical infrastructure organizations remain unclear about the U.S. government’s strategy. Nevertheless, this key constituency believes Washington should be more active with its cybersecurity strategy and programs.
ESG believes this brief should send a cogent and concise message to Washington: The government must engage with critical infrastructure security professionals, improve its communication by articulating a logical cybersecurity strategy, express a clear mission statement that includes success metrics, and find ways to provide help sooner rather than later.
Jon Oltsik is an ESG senior principal analyst and the founder of the firm’s cybersecurity service.