Protecting US Critical Infrastructure: One Step Forward for Cybersecurity, One Back?

Industrial control systems might be the most important technology that you have never heard of. They’re computer systems used to monitor and control a range of physical processes within critical infrastructures, such as opening valves or closing circuit breakers. It is no exaggeration to say that industrial control systems are essential to modern life: they help keep our lights on, our water clean, and our trains running on time.

But control systems—and the critical infrastructures within which they operate—are increasingly vulnerable to malicious cyber-intrusions. In last February’s State of the Union address, President Obama signaled the importance of protecting such infrastructures:

“We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

Shortly after, the President issued an Executive Order to enhance cybersecurity for US critical infrastructure. Then, in May, the Department of Homeland Security privately warned infrastructure operators that cyber-attacks were on the rise. There is no sense that these attacks have abated.

The growing awareness of the importance of protecting critical infrastructures from cyber-disruptions makes Rachel King’s July 20 report in the Wall Street Journal even more troubling. King reports that the Department of Homeland Security’s Industrial Control System Cyber Emergency Response Team (ICS-CERT) recently canceled two long-planned conferences and a number of training sessions. The cancellations are likely an effect of sequestration—no funds.

King’s account is cause for concern. The cancelled sessions are a key part of ICS-CERT’s mission: bringing together government and industry experts to share and gain insight in dealing with the latest threats. Scaling back ICS-CERT funding now and canceling government-industry meetings threatens to roll back recent hard-won gains.

Much of ICS-CERT’s work is below-the-radar and unlikely to generate headlines, but it is incredibly important. Founded in 2009, ICS-CERT provides industry players with up-to-date information about new vulnerabilities, mitigation strategies, and best practices. In an environment where government and the private sector often have difficulty finding common ground, ICS-CERT has taken up the vital role of forging dialogue and technical exchange that helps improve the capacity to protect the nation’s critical infrastructures.

And, ICS-CERT has made good progress. During the first 6-months of FY 2013, ICS-CERT responded to over 200 reported cyber incidents, exceeding the total number of incidents—198—that were reported during all of FY 2012. The spike in reported incidents likely reflects both the continuing presence of cyber-threats and, equally important, better reporting by the private sector to ICS-CERT.

Despite sequestration, the US Department of Defense is moving to grow its cyber workforce from roughly 900 to 4,900 personnel. That decision to increase DoD’s cyber capabilities during a period of widespread austerity reflects the importance of cyberspace as a military domain.

Domestic security should not be considered as an afterthought. Supporting close coordination between the government and the private companies that own and operate the overwhelming majority of U.S. critical infrastructures is a national priority. It should be funded as one as well.