UPDATE: The Obama administration plans to create a new military command to coordinate defense of Pentagon computer networks and improve U.S. offensive capabilities in cyberwarfare, according to a Wall Street Journal report.
And self-regulating organizations like the North American Electric Reliability Corporation (NERC) will no longer be left to their own devices to determine compliance issues. The NERC had been granted authority to self-regulate the electrical grid by the Federal Electricity Regulatory Commission (FERC), but that will soon change.
The initiative will reshape the military's efforts to protect its networks from attacks by hackers, especially those from countries such as China and Russia. The new command will be unveiled within the next few weeks, Pentagon officials said.
Edward Markey, the chairman of the House Energy and Commerce Committee Subcommittee on Energy and the Environment, sent a letter to the FERC last week "regarding the escalating cyber breaches threatening to compromise the electricity grid," stating, "If there are holes in the government's ability to protect the electricity grid from attack I am committed to doing everything necessary to improving FERC's ability to defend against these threats."
Sean Sherman, senior compliance architect at IT configuration and compliance vendor Tripwire, told me the U.S. is "going to go into a much more intensive regulatory mode as we we try to target these things and frankly, it's probably appropriate." He also tweaked the very idea of self-regulation embodied by the NERC, saying, "The essence of self-regulation is kind of paradoxical, because compliance assumes some kind of oversight, doesn't it?"
At the heart of this issue, a recent survey conducted by the NERC showed that most utilities claim they don't have any critical cyber assets to protect, exempting them from any related compliance burden.
More than 70% of the owners and operators of power generation systems and about 37% of transmission companies said they did not possess any assets at all which met that description. Only 23% of non-affiliated members-which are typically smaller entities-reported they had at least one critical cyber asset.
Talk about self-serving claims.
The federal government isn't alone in its efforts to shore up the security of critical infrastructure and key resources, noted Larry Shattuck, a spokesperson for InfraGard, a public-private partnership including private sector IT security professionals and the FBI.
Shattuck told me in an email that one of the group's principal activities is educating the general public and corporate leaders so they don't become the weakest link in the infrastructure security chain. "These folks repeatedly, time and time again, ignore the threat THEY pose to our country's security when they ignore simple protocol on their own systems," he noted.
InfraGard has been around for almost ten years, and Shattuck says the organization has been able to help avert attacks and solve cyber-crimes more quickly thanks to cooperation between the private sector and the feds. More is needed, as these recent reports have shown. But if you want to join InfraGard, be aware that you'll have to undergo a background check by the FBI.