Securing Infrastructure

I’ve made occasional posts here about the challenges of securing various pieces of the US infrastructure from attacks, particularly cyber attacks, most recently in connection with the GAO’s warnings about the risks of the “smart grid” for electricity distribution.   In addition to the power distribution networks, there are other sections of critically-important systems that need to be protected: for example, the interbank electronic payments system.  (The two largest US banks process transactions each day worth $ 7-8 trillion.)  An article at the Network World site reports on a panel at the recently concluded RSA Conference 2011 that discussed the issue.

This is a tricky problem for a few reasons:

• The US systems are (mostly) owned by private entities, although some are operated by the government.  There is no existing mechanism for ensuring their security, or even for finding all the pieces.
• The need for cyber-security is a new one for many of these infrastructure operators.
• Networked systems are, generally, only as strong as their weakest component.

There are some economic reasons for concern, too.  A small participant, acting rationally in its own interest, will not spend more than it can possibly lose; yet a security vulnerability there may threaten the whole network.  This is another case of externalities, which I’ve mentioned many times here.  They occur, in this case,  when some part of the cost of a security failure are borne by someone other than the entity that can prevent the failure.   In this situation, rational market transactions will provide less security than the optimal amount.

The conference participants did come up with some sensible suggestions.  First, although the government may need to be involved to set standards, those standards should specify objectives or results, not technologies or solutions.  Mike McConnell, former Director of National Intelligence, and of the NSA, and now an Executive VP at Booz Allen Hamilton, spoke about this:

“To protect those transactions there should be a requirement for a higher level of protection to mitigate that risk,” he said, but that government should set the requirement and the private sector should compete to figure out how to meet it.

Another good suggestion was to require corporate officers to certify that any security requirements have been met, just as they are required to certify their financial statements.

[Bruce] Schneier concurred, noting that holding individuals at a company accountable for certain protections has worked with environmental regulations and Sarbanes-Oxley, the post-Enron law that requires directors and executives to certify their financial results

I can tell you from personal observation that this is one approach that corporate executives do take seriously — that is why they can be expected to fight it, tooth and nail.

This is really a situation where I think the idea of some kind of self-regulation is non-starter.  The various industries involved will not like it, but it seems to me that a joint government-industry effort is going to be needed if any effective solution is to be obtained.