If you ask 100 government technology leaders around the country about the importance of public-private partnerships regarding cybersecurity and critical infrastructure protection, 99 will likely agree that improved collaboration and information sharing are important.
But how do we take these vital security goals to the next level? What are the desired outcomes and corresponding actions required to strengthen our mutual cyber defenses? Where do you start?
Harvard Business Review Blog on Cybersecurity Cooperation
I recently read a Harvard Business Review (HBR) blog by Harry D. Raduege Jr., which clearly lays out the case for more to be done in the short term. For example:
“The public and private sectors need to work together to protect critical assets with confidence and trust — helping manage the risks we know, and getting ahead of those we don't.
There are two primary areas of concern. The first focuses on the concept of enhanced public/private information sharing and developing standards. The second is crafting a cybersecurity framework that addresses risks across government and industry — and to do so quickly….”
General Raduege is certainly not alone. News stories are popping up all over America describing new agreements and solutions related to protecting critical infrastructures. Here are just some of those headlines:
1) Spending on cybersecurity for critical infrastructure to reach $46 billion by end of 2013 - Always-on Internet connectivity has ushered in a new cyber-age in which the stakes are higher. Disruption and destruction through malicious online activities are the new reality: cyber-espionage, cyber-crime, and cyber-terrorism. Despite the seemingly virtual nature of these threats, the physical consequences can be quite tangible.
ABIresearch reports that the cyber protection of critical infrastructure has become the most immediate primary concern for nation-states.
2) Waterfall Security Solutions and OPSWAT Unveil Joint Solution for Protecting Critical Infrastructures - Waterfall Security Solutions and OPSWAT announced a joint solution for protecting unidirectionally-protected nuclear generation networks and other critical industrial infrastructures.
3) Critical Infrastructure Protection (CIP) Market to Reach $105.95 Billion By 2018 at a CAGR of 10.7% - New Report by MarketsandMarkets - … Major forces driving this market are the increasing dependency of the government and commercial organizations on IT communications and the development of automation across all verticals, growing need for cost-effective security solutions and the market trend of deploying best practices for a better response in case of emergencies. The need for cost-effective business processes is soaring as organizations aim to gain a competitive edge in the industry. Critical infrastructure security solutions ensure cost efficiency and reliability as they deploy both traditional physical security and modern cyber security …
Presidential Priority – A Sense of Urgency
President Obama addressed the importance of this topic in his State of the Union address earlier this year. Reaction to the President’s directives and executive order has been mixed, but there is no doubt that all sectors of the economy are now taking notice and recognized the need to do something more to protect critical infrastructures against cyberattacks. There is a new sense of urgency, with nationwide back-office briefings of major system vulnerabilities along with the need to close security holes quickly.
If you talk to anyone inside the Washington, D.C., Beltway these days regarding cybersecurity, they are all busy working on one of the committees, workgroups and task forces that are updating the National Infrastructure Protection Plan (NIPP), the new NIST national framework outlining future direction on cyber protections for critical infrastructures and other Presidential EO deliverables.
Progress reports and more details on specific actions being performed can be found at this White House website.
What Should State and Local Government Leaders Do Now?
But while it is clear that many committees are meeting, documents are being created and actions are being called out, the big question is what protections will actually be implemented by owners and operators of critical infrastructures over the next several years. Will we be ready if something like a “Cyber-Pearl Harbor” happens?
In Michigan, our government technology leadership has been meeting with technology leaders in the private sector for over a year. We have established “Kitchen Cabinets” for both the State CIO and State CSO which meet monthly with private sector counterparts on a wide range of issues of mutual interest. Some of the meetings are face-to-face, and some our teleconferences, but either way, cybersecurity and critical infrastructure protection topics are at the top of our list.
From our major public utilities to the financial sector to transportation and auto companies, the diverse mix of technology professionals makes conversations intriguing and fast-paced.
One product of the CISO Kitchen Cabinet has been our Michigan Cyber Disruption Response Strategy, which I will discuss in more detail in an upcoming August 2013 blog. This document brings the many aspects of cybersecurity protections for Michigan critical infrastructures down to a practical state and local level.
No – government cannot possibly eliminate risk for private-sector owners and operators of critical infrastructures, as cyberdefense is a company business function. However, we can work together, share important information and prepare for various scenarios -- as we do with fires, floods, tornadoes and other emergencies today.
The most important first step is to start talking now. Get to know each other and begin the dialog. More guidance is coming from the federal government, but all emergencies are local.