The National Institute of Standards and Technology was charged by the President with the creation of a framework for improving critical infrastructure cybersecurity, which they accomplished in February of 2014. This framework and associated documents provides information on critical steps that business and industry, working with the federal government, should take in the protection, prevention, detection, response, investigation, and recovery from a cyberattack. The importance of this is not only the theft of private information of customers, as occurred in the hacking of Target databases, but most importantly (and the intention of the NIST document) the protection of our nation’s critical infrastructure – most of which is owned and operated by private industry. What about state governments? Do they have a role?
Working with various states around the nation, it has been interesting to see how they perceive their role in cybersecurity. Some are very hands-on, while others are far too comfortable in the back seat. State governments, it seems, are working to protect the cyber infrastructure they control (their own computer systems and data), but the position they take in respect to the private sector covers the whole spectrum of proactive to wait-and-see. One wait-and-see-er explains their position away saying that if they don’t own the cyber infrastructure they can’t do anything to protect it. Interestingly enough, this particular argument came from a larger state which is the recipient of higher cuts of homeland security grant program (HSGP) funds than most and has a significant amount of critical infrastructure, including several nuclear power plants. They seem to have little interest even working with business and industry to come to common understandings, discuss threat indicators, share ideas, and talk about procedures and priorities.
On the other hand, there are states, both large and small, who see benefit to working with their business and industry to protect critical infrastructure and data interests. While they acknowledge some challenges with the state not owning the cyberinfrastructure of these companies (nor do they want to), they see nothing but benefits in the formation of cybersecurity working groups and conducting cyber preparedness activities, particularly exercises. This is the smart approach.
Given the number of cyberattacks that occur every day, it seems inevitable, just like any disaster, that a successful cyberattack on a critical sector of our infrastructure will certainly occur sometime in the future. Are we prepared? What are your states doing to prevent, protect, and prepare for such occurrences? What are we missing?
© 2015 – Timothy Riecker
Emergency Preparedness Solutions, LLC