For a long time a debate has been going on regarding whether information security/cybersecurity has something to do with critical infrastructure, and if yes, how important cybersecurity is for critical infrastructure. This dilemma is definitely resolved with President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity.
For quite some time now, cyber attacks on various financial institutions, technology companies, and media houses have been filling the newspaper headlines. However, it seems that most people seem to be quite indifferent to such incidents – the “It’s just another hacker having fun” perception. What they don’t understand is that this could be merely foreplay to something much more serious.
For instance, could you imagine a blackout lasting 1 or 2 weeks? Or perhaps stopping the public transport for a couple of hours during rush hour (and doing that for couple of days in a row)? And how about this – stealing intellectual property from companies, so that they no longer have a competitive edge? (As a consequence, they have to lay off people, and the most profitable business goes to some other country, to some other continent.) And how about messing with IT systems of air traffic control? Or the systems of nuclear power plants? Or perhaps those of the stock exchange? Coupled with launching some (false) news through legitimate media houses?
And all of this together? Compared with something like that, 9/11 would seem like child’s play.
I’m not saying this will happen for sure, but rest assured that this is definitely one of the options the attackers are considering. Why? It is much easier to weaken a nation by attacking its critical infrastructure than by attacking it with conventional weapons.
This is because a cyber attacker doesn’t have to assemble an army or purchase weapons; it doesn’t even have to train suicide bombers and then figure out how to infiltrate them into a foreign country; it doesn’t matter if their attack succeeds or not, because the attackers will always be protected, far out of reach of the legal system of the country they’ve attacked; and lastly, most countries still do not have a doctrine on how to treat cyber attacks, so basically they won’t hit back, or at least not in comparable measure.
Luckily, governments are much more aware of such scenarios, and the Executive Order is a product of this. And how far the governments must go is visible also from the related Presidential Policy Directive on Critical Infrastructure Security and Resilience – both government and private organizations are covered by this regulation, and specifically, the sectors that are covered are Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems, and Water and Wastewater Systems.
It is debatable whether it is possible to organize such a comprehensive defense on such a wide front; however, one thing is for sure – unless a government recognizes the breadth of a problem, and directs its policy accordingly, the effect will be poor. And the U.S. government certainly did recognize the priorities, and set good foundations.
With this Executive Order a bare truth, already known to information security specialists, will now become clear to the general public: the biggest vulnerability of a modern society is no longer a lack of ability to defend itself against an attack with conventional arms; the biggest vulnerability is a lack of ability to defend itself against cyber attacks.
Click here to download the free eBook 9 Steps to Cybersecurity: The Manager’s Information Security Strategy Manual.