In 1912, the Titanic disaster led to the formation of the International Maritime Organization (IMO) – a United Nations agency responsible for creating international standards for the safety and security of shipping. In 1956, the Trans World–United Airlines incident dramatized the fact that definitive measures were required to mitigate the risk of midair collisions, resulting in the creation of the US Federal Aviation Agency (FAA).
In 2009, President Obama identified cybersecurity as one of the most serious economic and national security challenges the US faces as a nation – a challenge he admitted that our government, and the country, are not adequately prepared to counter. America’s critical infrastructure, fundamental to economic prosperity, public safety and national security, is dependent on computer systems and, therefore, cybersecurity.
Since 2009, little legislative or standards progress has been made between industry and government to secure America’s digital infrastructure against cyber threats. Voluntary information sharing and educational programs have been established, like the National Cyber Security and Communications Integration Center (NCCIC), the Defense Industrial Base (DIB) Cyber Security/Information Assurance (CS/IA) program and the Electric Sector Cyber Security Capability Maturity Model (ES-C2M2).
Information sharing and education is critical, but these measures are not enough to ensure the security of our nation’s critical infrastructure. Industry as a whole still does not see cyber attacks as a huge threat. Since the collapse of its attempt to pass the 2012 Cyber Security Act, Congress remains gridlocked on the issue. Given the lack of legislative action, the White House is rumored to be drafting an Executive Order setting guidelines that will include incentives for sharing information between government and private operators of critical infrastructure. Leaked copies of the draft have sparked concerns in the legislative and private sectors that the proposed Executive Order ignores issues concerning privacy and liability, with many voicing fears that disclosure of network security information to the government could compromise the integrity of their systems.
Given the gravity of the nation’s cybersecurity situation, it is important that the actions taken not only be immediate, but also take into account what is right for now and the future. With cyber incursions against the US government and commercial networks topping 100,000 incidents in 2011, we cannot afford to waste any more time coming up with a viable cyber defense plan.
Recent threats such as Stuxnet, Duqu, Flame, and Shamoon have proven that cyber attacks threaten to penetrate and sabotage critical control and monitoring systems with significant consequences. Every day we delay, cyber intruders continue trolling for ways to disrupt our nation’s infrastructure – stealing intellectual property worth up to $1 trillion, probing electrical grids for the vulnerabilities that will enable them to plunge entire cities into darkness, or using a key stroke to commit the next act of mass destruction. Just as lack of sufficient attention to safety within the aviation community will have a wider impact than just the company, lack of sufficient attention to cybersecurity within the critical infrastructure will have a wider national impact. In these cases, the government must ensure that national interests are protected, not just the companies’.
Similar to the IMO and FAA, government should serve as an industry advocate focusing on identifying policies and controls. This doesn’t mean the regulatory bodies need to tell industry how to meet the challenges of cybersecurity – just that it has to.
The FAA grants aircraft manufacturers ‘airworthiness’ certificates and carriers licenses to operate. They do not tell industry how they should meet safety levels, only that they will not be allowed to operate unless they do. A “Cyber-FAA” organization should be created to develop standards and ensure compliance – like air traffic controllers oversee air traffic today. Their first priority would be to protect Americans from cyber threats and help private industry harden and build resilient networks to cope with the threats emanating from cyberspace. One necessary component of this plan is the adoption of minimum security standards. These standards must be collaboratively developed by government and industry and not be overly burdensome. Only Congressionally mandated incentives and repercussions can make such a process viable.
Regulation and mandates force action and require companies to comply while driving up costs. Advocating standards incentivizes cybersecurity vendors to invest in research and development, by motivating them to stay ‘ahead of the curve’ to meet the needs of their customers – helping offset costs. Similar to the DoD standards enforced today, “Cyber-FAA”-driven standards will encourage industry to develop and implement solutions that are independently tested and certified for compliance.
Shipping serves more than 90% of global trade, and the IMO is there to help maintain the security and safety of cargo and passengers. Millions of people in the US travel by airplane every year, and the FAA constantly strives to ensure air safety. With cyberspace touching nearly every part of our daily lives, who is there to maintain its security?
Time is of the essence. Government and industry need to work together to ensure that companies are adequately addressing cyber risks that threaten the physical and economic security of our nation while respecting the values of freedom, openness and innovation fundamental to us all.
Olugbenga “Benga” Erinle is president of 3e Technologies International (3eTI), an Ultra Electronics company and provider of government-validated, cyber secure network solutions that enable security for critical information systems, infrastructure protection and industrial automation. Erinle was appointed by NATO’s Civil-Military Planning and Support Section (CMPS) and the Euro-Atlantic Partnership Council (EAPC) as an Electronics Communications Expert in Critical Information Infrastructure Protection (CIIP). He also is a selected Subject Matter Expert (SME). Erinle has an MBA from the University of Maryland, a bachelor’s degree in electrical engineering from Howard University and a bachelor’s degree in math from Bowie State University.