22 November 2009

National Security: Cyber Infrastructure Risk...

Is your organization a threat to national security? That depends on whether you own, install, and maintain critical infrastructure. When you hear that term, "Critical Infrastructure" what comes instantly to mind? A bridge, a road or some other shovel ready project impacted by the EESA?

Yes, the hard leap for many to get their head around is that your cell phone, TV and Internet connection are vital "Critical Infrastructure" and if you are a Verizon, AT&T, Sprint or large cable company in the United States; national security is a top of mind issue. Is it possible that our country is at risk because of the same "Risk Management" paradigm that has plagued the Financial Services industry? A lack of resources and focus to detect, deter, defend and document risks to critical infrastructure could turn into a systemic and interdependent threat to our national security.

How can you make the case for the economic meltdown in the financial services sector to be similar to the potential failure of the communications, IT, water or energy sector? It's easy. Look at human behavior and to the motivators of greed, selfishness and just plain blindness to a "risk bubble" just waiting to burst. Who will be the next Bear Stearns in the communications sector? The fact is that a marketing department may have a larger budget than the internal audit department and the security department combined. When the nuts and bolts, concrete and plumbing associated with electronic commerce, banking, and just plain office automation come to a slow crawl or halt in it's tracks the government will have to do the same thing all over again. Bail out the industry and the companies who are the lifeblood of our critical infrastructure.

Our national security is at stake and the owners and operators are still waiting for the right incentives to invest in robust maintenance and security programs, instead of more marketing. After all, market share is what shareholders ask about along with how many new subscribers you won or lost last quarter. How often do we hear the question at the shareholders meeting that asks about the amount of downtime, failed systems or customers without service as a result of a "Glitch" or fried circuit board?

So how does the electronic critical infrastructure really impact national security? Homeland Security Presidential Directive 7 gives us some insight:

1. This directive establishes a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks.

2. Terrorists (including Cyber) seek to destroy, incapacitate, or exploit critical infrastructure and key resources across the United States to threaten national security, cause mass casualties, weaken our economy, and damage public morale and confidence.

3. America's open and technologically complex society includes a wide array of critical infrastructure and key resources that are potential terrorist targets. The majority of these are owned and operated by the private sector and State or local governments. These critical infrastructures and key resources are both physical and cyber-based and span all sectors of the economy.

4. Critical infrastructure and key resources provide the essential services that underpin American society. The Nation possesses numerous key resources, whose exploitation or destruction by terrorists could cause catastrophic health effects or mass casualties comparable to those from the use of a weapon of mass destruction, or could profoundly affect our national prestige and morale. In addition, there is critical infrastructure so vital that its incapacitation, exploitation, or destruction, through terrorist attack, could have a debilitating effect on security and economic well-being.

5. While it is not possible to protect or eliminate the vulnerability of all critical infrastructure and key resources throughout the country, strategic improvements in security can make it more difficult for attacks to succeed and can lessen the impact of attacks that may occur. In addition to strategic security enhancements, tactical security improvements can be rapidly implemented to deter, mitigate, or neutralize potential attacks.

A culture of risk management is slowly moving it's way into the Board Room conversations and the CEO may be on notice if the "Tone at the Top" is not focused on risk mitigation. However, that "Tone at the Top" needs to go beyond the shareholder value conversation to the national security topic. One only has to review what is happening in Brazil to get any sense of what may be heading to North America. The Toronto Sun reports:

SAO PAULO — Brazil’s president says last week’s massive blackouts in Latin America’s largest nation were caused by a short-circuit in a transmission tower. But President Luiz Inacio Lula da Silva says it’s unclear how the short-circuit happened.

The outages left nearly a third of Brazil’s 190 million citizens in the dark — raising concerns about energy security for football’s 2014 World Cup in Brazil, and the 2016 Olympic games in Rio de Janeiro.

Silva said Monday on his weekly radio program that the short-circuit happened in the rural Sao Paulo state town of Itabera. He says an investigation will determine why but offered no prediction on when it will be concluded.

Silva also says he will work hard to make sure similar blackouts don’t happen again.

One only has to look further in a few places on the "Net" to get some idea of what the offensive cyberwarfare conversation is all about. Once you understand that the Brazil incidents are just a test, then you realize that US shovel ready projects need a new public service announcement (PSA) with a shock value of texting while driving. The risk of a specific kind of behavior on the road or within the corporate enterprise can have the same results. We have already nationalized the likes of AIG, Freddie Mac and Fannie Mae. Perhaps it time to do the same for Cisco, Verizon, AT&T and others who are vital to national security and have them report to the Pentagon.

No comments:

Post a Comment