Hal Snedden is a FedScoop contributor and a cybersecurity policy analyst with PotomacWave Consulting.
Five months ago, on Feb. 12, President Barack Obama spoke to the American people in his State of the Union address about the cybersecurity threat we face from our enemies. Americans were told the electricity for their TVs, their 401(k) retirement savings accounts, and their vacation flights were all vulnerable to being disrupted or compromised by cyberattacks from our adversaries abroad.
Hearing this for the first time in a State of the Union address, most Americans were frightened, although few understood or realized how these threats could materialize into electrical service interruptions, online financial theft or widespread airplane groundings due to airline scheduling system shutdowns.
The public should not be blamed for failing to comprehend the threat. Cybersecurity threats, in general, are a difficult concept to conceptualize. Without an actual event that disrupts critical infrastructure’s essential services described by the president, Americans are left to their imaginations or fictional events depicted in cinema or on television.
This lack of corroborative evidence may explain why the American public has not demanded en masse immediate cybersecurity legislation from Congress or why political partisanship has not been overcome by the urgency to mitigate the threats. Perhaps the urgency for passing legislation was pacified by the president’s cybersecurity executive order, signed into law before the State of the Union. The mandate is serving as a partial solution.
Five months after president’s speech, we are in a similar position. Americans do not yet grasp the magnitude of the enormous threat to critical infrastructure. This isn’t for lack of warnings. Just recently, The Wall Street Journal reported Iranian-backed hackers had infiltrated the “control system software,” potentially enabling them to “manipulate oil or gas pipelines.” By inference, our enemies could be within striking distance of disrupting not only our energy infrastructure. Obviously, this is a serious problem that needs our attention.
That we aren’t keenly aware of the threat to critical infrastructure worries some in Congress. Rep. Patrick Meehan, R-Pa., chair of the House subcommittee on cybersecurity, recently stated, “We in Congress, and across the governmental sector, aren’t doing a good enough job of really alerting the citizens in general about the true nature and scope of the threat we face.”
This isn’t to infer Congress and federal departments and agencies aren’t working hard to promote awareness of cybersecurity and communicate the threat. In April, comprehensive cybersecurity legislation was passed by the House dealing with information sharing between critical infrastructure and the government. The legislation stalled in the Senate due to privacy concerns, but we can expect Congress to revisit cybersecurity later this year, once immigration and the sequester are addressed.
Also, federal executive departments and agencies are bringing awareness to cybersecurity. There is a plethora of cybersecurity websites maintained by these government entities that highlight and discuss an array of cyber-based threats from a variety of sources.
If the information is available and we know the threat exists, why has there been so much difficulty in understanding the problem and coming up with a solution? Dorothea Brande, an American writer, famously stated, “A problem clearly stated is a problem half solved.” We can learn from her wisdom.
The challenge will be rethinking government communication strategies and policies to determine why the current message on the threat environment has not been successful in creating a public understanding of its scope and implications. The stakes couldn’t be higher — the security of our critical infrastructure depends on it.