Federal and industry cybersecurity experts testified before a House Energy and Commerce Committee hearing Tuesday, offering diverging opinions on what steps the government should take to ensure protection of the nation’s critical infrastructure.
According to Ambassador R. James Woolsey, chairman, Woolsey Partners LLC and former director of the Central Intelligence Agency, we should be more concerned with the safety of our electric grid than with any other critical infrastructure component.
Why? Even a small detonation of a nuclear blast over the United States can seriously damage and destroy a substantial degree of the electricity connections holding together the electric grid. A relatively low-level attack, launched only by a weather balloon, could take out approximately 70 percent of the nation’s grid in one blast.
The failure of the nation’s electric grid will cause a chain reaction, bringing down all 17 critical infrastructures with it, Woolsey said. North Korea, China and Iran all possess or are in the process of acquiring these capabilities.
In discussing what steps are required to mitigate the possibility of the aforementioned attacks and whether a National Institute of Standards and Technology cyber framework will suffice, Woolsey said “with this kind of problem, we have to have a national policy and a national commander in chief.”
Rep. Marsha Blackburn (R-Tenn.), overseeing the May 21 committee hearing, favored the industry-led, multistakeholder cyber framework underway at NIST. “[O]ur focus should be on developing consensus based public policy that puts American business in the driver’s seat,” she said.
At the heart of the debate is whether standards will provide enough incentives for industrywide adoption or if government regulation via new cyber legislation is required.
Patrick Gallagher, director of NIST, was optimistic about the agency’s ability to create a robust framework to protect U.S. critical infrastructure within executive order 13636’s mandated one-year time frame.
For Gallagher, an effective framework must be developed through an industry-led process, open and transparent to all stakeholders. NIST standards are not synonymous with regulation. The industry-driven standards embedded in a NIST cyber framework would not be static, but could adapt to meet technological developments and performance requirements.
A multistakeholder approach to cyber standards will significantly bolster the relevance of the resulting framework to industry, making it more appealing for industry to adopt, Gallagher said.
Despite Gallagher’s optimism, many of the senior industry personnel in the following panel disagreed. Dave McCurdy, president and CEO of the American Gas Association and former chairman of the House Intelligence Committee, Mike McConnell, vice chairman of Booz Allen Hamilton and former director of National Intelligence, and Woolsey advocated strongly in their testimonies for additional cyber legislation, weary of standards lacking enforcement power.
“[P]ut it in law what you don’t want to happen,” McConnell suggested.
“The problem is that sometimes that regulation is overly specific about a technology and ends up hindering rather than helping companies to be optimally secure,” said Phyllis Schneck, vice president and chief technology officer of McAfee’s global public sector. “We urge the adoption of a faster review process, possibly an annual review of rules, and we also urge that regulations be outcome-based. For sectors not already regulated, we urge information sharing, innovation, and positive incentives.”