If there’s a lesson the security industry hopefully learned from the Stuxnet attack, it is the government and the private sector need to join in an effort to respond quickly, the U.S. Department of Homeland Security Secretary said this week.
“The key thing we learned from Stuxnet was the need for rapid response across the private sector,” DHS Secretary Janet Napolitano told engineering students at the University of California, Berkeley. “There, we need to increase the rapidity of response, because in that area — as in several other recent attacks — we’ve seen very, very sophisticated, very, very novel ways of attacking. When you’re getting at control systems, now you’re really talking [about] taking things over, so this is an area of deep concern for us.”
Napolitano’s remarks come on the heels of a new survey that said cyber threats and vulnerabilities for critical infrastructure continue to rise and the communication between the private sector and government is still weak.
More than 40% of U.S.-based critical infrastructure companies still have no interaction with the federal government on cyber-defense matters, according to a survey of more than 200 critical infrastructure executives.
While there are those that know believe Stuxnet was a joint effort between the U.S. and Israel to damage the Iranian nuclear program, when the news first broke, the industry seemed unsure of what to make of the worm.
After realizing Stuxnet was active, DHS scrambled to analyze the threat. Officials flew in systems from Germany to the Idaho National Laboratory. In short order they were able to decode the worm, but for some time, companies running Siemens systems didn’t know what they should do.
Siemens and the DHS group responsible for communicating with operators of industrial systems (the ICS-CERT, or Industrial Control Systems Cyber Emergency Response Team) needed to get more information out to the public, officials said.
Napolitano said during her speech at UC-Berkely one of DHS’ responsibilities is to lead “the protection of critical infrastructure and its connections to cyberspace.”
“This is not something we can do by ourselves,” she said. “It requires a full range of partners – including other government agencies, the private sector, as well as individual users of the Internet. Right now, we’re building what we call a “technical ecosystem” based on an understanding of cyberspace as a civilian, distributed place, and also the “policy ecosystem” to support it.
“I use the term “ecosystem” intentionally – because cyberspace is a dynamic, constantly changing, even organic environment. We cannot treat it as static or self-contained. Just last month, we put forward a technical vision for enhancing cyber security that is intended to empower individuals and enterprises across cyber networks to take action to enhance their own security operations. It has three primary building blocks: automation, interoperability, and authentication. Too often today, our cyber defenses are ad hoc, manual processes. Because things in cyberspace move at Internet speed, we need to move to a system of automated defenses, with real-time detection capabilities and coordinated responses. As we all know from waiting for a page to load on our computers or mobile devices, a few seconds is a long time in cyberspace.
“By developing and implementing automated defenses, we can combat threats at their earliest, least-costly stage, and minimize their impact. Many of today’s cyber systems and devices also operate independently, cannot exchange security data, or have inconsistent security policies. For the most part, these systems were developed by private entities fully independent of each other. By implementing more interoperable systems and policies from the outset, however, we can create a more common understanding and picture of threats, and improve our ability to combat them in a coordinated fashion.”