James Lewis is Mr. Cybersecurity these days. A colleague (hat tip: Steve O) just sent a note out pointing to a new article appearing front and center on WSJ.com tonight, featuring prominent statements by Dr. Lewis, the Tech Policy Directer of K-Street think tank CSIS.
Two weeks ago I wrote a post that ridiculed as alarmist a few quotes, including one ostensibly made by Lewis, that appeared on another well known financial media site.
And just last week he testified before a Senate subcommittee about what he likes, and what he finds wanting, in the draft bill that's looking increasingly likely to make it through Congress sometime soon.
You should note that unlike last year's Grid Act which passed the House (HR 5026 Grid Reliability and Infrastructure Defense Act), the focus of the current bill, and therefore of Lewis' testimony, is not energy sector specific. Here's one of his opening sections in which I find nothing not to like:
Reducing risk and vulnerability in cyberspace is a fundamental challenge. In considering this problem, we have learned through painful experience that market forces will not secure cyberspace and that existing authorities are inadequate for national security and public safety. The list of private sector companies, including technology leaders, whose defense have failed is long and would be longer if all breaches were disclosed. Continuing to use voluntary, market driven approach to this new national security concern is irresponsible and guarantees a successful attack against our nation.Our sector, of course, has the NERC CIPs. Much derided in some circles, though in my mind a huge improvement over the kind of security we'd likely see from pure "market forces," the NERC CIPS are anything but voluntary. And when versions 4 and/or 5 go into effect, they'll cover many more systems and require more security controls for most.
The 2012 Cybersecurity Act aims to give DHS the lead in securing critical infrastructure and it's unclear to me how it might supplement or complement current the NERC CIPs. More on that later.
Anyone who tells you that we do not know how to do cybersecurity is sadly out of date. The National Security Agency, the National Institutes of Standards and Technology, and other Federal agencies are pioneering techniques that can strengthen America’s defenses. But while we can require implementation and measure the rate of implementation in the Federal government, there is no comparable ability to measure and secure commercial critical infrastructure. This remains the single largest vulnerability for America in cyberspace.
So while we have the NERC CIPs, you can take his point about "no comparable ability to measure" critical infrastructure to mean that while audits occur and fines sometimes levied, neither DOE, nor FERC, nor NERC keep track of how the utilities are doing. There's no standard framework that tells us which utilities are doing a great job and which ones are lagging. IMHO that is a problem.
You can read Lewis' full testimony HERE.
And one more thing: on Lewis' CSIS page he also includes a link called Serious Cyber Events. It's a comprehensive list of the most noteworthy known attacks and breaches since 2006 till present. Out of a total of 87 events cited, only 2 involved power systems:
- January 2008. A CIA official said the agency knew of four incidents overseas where hackers were able to disrupt, or threaten to disrupt, the power supply for four foreign cities
- April 2009. Wall Street Journal articles laid out the increasing vulnerability of the U.S. power grid to cyber attack also highlighted was the intrusions into F-35 databases by unknown foreign intruders