BY Richard Summerfield
Given the increasing sophistication of cyber criminals and the potential risks faced by companies that fall victim to attack, cyber security has become a hot topic in recent years. According to a new report from the President’s National Infrastructure Advisory Council (NIAC), however, cyber defences in the US are not currently fit for purpose.
The report, 'Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure', was based on reviewing hundreds of previous studies plus interviews with 38 cyber experts, who were mostly in the financial services and electricity sectors.
The NIAC, which was created in the aftermath of the 11 September 2001 attacks in the US, is charged with the task of advising the Department of Homeland Security on the security of US critical infrastructure against any form of attack, be it physical or cyber based. It believes that cyber security provisions in the US are currently experiencing a pre-9/11 moment. According to the report, if more is not done to protect the country’s critical infrastructure, such as the financial system or electric grids in the US, both the government and private industries run the risk of missing a “narrow and fleeting window of opportunity before a watershed, 9/11-level cyber attack".
The report notes: “Cyber is the sole arena where private companies are the front line of defence in a nation-state attack on US infrastructure. When a cyber attack can deliver the same damage or consequences as a kinetic attack, it requires national leadership and close coordination of our collective resources, capabilities, and authorities."
The NIAC has proposed 11 specific recommendations to shore up the country’s cyber security defences. Chief among these is establishing specific network paths designated for the most critical networks, which would include dark fibre networks for critical control system traffic and reserved spectrum for backup communications during emergencies. The NIAC also recommended private organisations and government bodies improve their threat information sharing. In addition, the government should provide incentives for any hardware upgrades performed, as well as establish a centre of excellence which will showcase best-in-class tools across the industry and provide a test bed environment for companies to test and evaluate new software, among others.
“We believe the US government and private sector collectively have the tremendous cyber capabilities and resources needed to defend critical private systems from aggressive cyber attacks – provided they are properly organized, harnessed, and focused. Today, we’re falling short”, the report suggests.