Monday, February 7, 2011

Grid Cyber Security and the Kill Switch Concept

Egypt's recent Internet "full stop" got us started, and now it seems like esoteric electrical grid security concepts are slowly transitioning from obscurity to mainstream, via a bunch of new bills on Capitol Hill and a provocative Scientific American article. 

In a recent SciAm piece titled "What Is the Best Way to Protect U.S. Critical Infrastructure from a Cyber Attack?", we learn that Senator Lieberman's "Protecting Cyberspace as a National Asset Act" is vying with last year's Grid Act, and as interpreted by James Lewis, senior fellow at CSIS, is going several steps further:
The central part is that voluntary action is no longer sufficient for national security and that the private sector cannot secure their networks against advanced opponents.
OK, I've got to throw the first flag here. Show me evidence that the public sector is better at cyber security than the private sector. Good luck with that. In my opinion while there's some value in discussing the merits of voluntary vs. enforced cyber security, we're not going sleep better by having private sector security leadership emulate their government counterparts.

And then there's this, again from Mr. Lewis:
We're in a transitional moment, and this debate over an Internet kill switch is part of that. You have the old-school Internet thinkers who are wedded to this pioneering vision that we have to keep the Internet open and unstructured because that will empower innovation. People really believe that. People also believe in flying saucers, and these ideas are about equal.
Wow. No offense is intended, but unless he was seriously misquoted, Mr. Lewis is equating one of the key engines of our economy, innovation, with the amusing yet unhinged true believers in Close Encounters of the Third Kind, and that makes him seem, to me at least, a somewhat less-than-serious scholar. My second flag is thrown. 

Once again, mainstream media is aiding and abetting alarmists who want the US rank and file to believe that we're just moments away from a complete cyber meltdown. In this case, it's more than a little disturbing as I've always viewed SciAm as the sober middle ground between heavy duty, peer-reviewed science journals and more overtly entertaining, though also more sensationalist publications like Popular Science and Popular Mechanics. 

For the record let me repeat: in the electric sector we have a lot of work to do re: shoring up cyber security, and (mainly) we're doing it. We're far from bullet proof, yet the work proceeds, and every day we learn a little more and make our systems a little better at weathering cyber storms. Sometimes I wish that story would command half as much attention as one's like these.

Hat tip to cyber security colleague Dave Hemsath (linchpin of the Boston-Austin connection) for this.

No comments: