Peter held up the Department of Defense (DOD) as having done a good job over the years. All the military services are on the same sheet of music. They share documentation, installation, vulnerability tests, penetration tests, back-up and recovery procedures. Much of what they have accomplished could easily be transferred to other business and industry settings—but, we tend to want to re-invent the wheel. He remarked specifically about the electrical and power generation industry not building on what already exists.
You need to have a Security Vulnerabilities Program in place. The current electrical grid does not have the protection it needs and as we move more towards a Smart Grid here in the USA it will increase the risk of attacks getting through.
Today there are attacks getting through all the time. You can’t prevent everything so having a capacity to respond quickly is very important. While we sometimes hear of issues with banking systems and credit cards it would be a bit of chaos if bank revealed every time a penetration of their system was attempted. People’s confidence would be destroyed. Because they are a regulated business the banking industry is one that is doing the most to prevent cyber-attacks from being successful.
Yet, we are still islands that need to be better connected. Cross domain solutions are needed while maintaining boundaries between entities. He shared that keeping things separated provides the boundaries. Manual switches are not all that bad and not everything needs to be controlled via the Internet. He noted one common problem with working across disciplines and infrastructures. He suggested that a “Captain Crunch Decoder Ring” is needed to understand the language of the group or discipline in order to sort through the jargon of the folks you are working with.
Since Peter has worked in the DOD environment I asked about how much of the cyber work in DOD is being done with military (civilian and military) personnel versus civilian contractors. It is about a 60% contractor and 40% military mix of resources. In general you pay about twice as much for a contractor than you do an internal position. But then, you don’t incur the benefit and retirement burden of an organic person.
I asked about the source of cyber-attacks. He mentioned countries like Russia and China, from which attacks are coming all the time. China is developing their own secure operating systems for their country. They are designing it in house. We need to do the same for our critical infrastructure protection for the Smart Grid. In contrast, Microsoft sold the Windows operating source code to China. They reengineered it and we are now in the reactive mode.
When an attack is ongoing what should you be doing? Evidently our emergency management system of getting everyone in one room after an attack is a good way to respond. He stressed having the relationships in place before the event (does that sound familiar?). One key aspect is sharing what is happening to your organization since an attack can spread. When there is the first inclination of anything happening is the time to share what you know.
What would an interview be without some mention of social media? Is it a risk or is it part of the solution? Peter shared that he thinks social media will be big. It is a two edge sword so that it can be used to orchestrate an attack or to create awareness.
Lastly, he gave me “Peter’s Prediction” for 2012. He expects many more cyber-attacks will be coming across the spectrum.
