At the year’s biggest show for physical security practitioners, just yards from a show floor that includes security officer uniforms, heavy gates and video surveillance cameras, the message from the Department of Homeland Security was about anything but physical security. Instead, on the eve of the 11th anniversary of 9/11/2001, what DHS Secretary Janet Napolitano called “the most dynamic and threatening area of risk today” was cyber security.
Speaking to attendees at the 2012 ASIS International Seminar & Exhibits, a security industry tradeshow being held this week in Philadelphia, she warned of threats to the nation’s cyber infrastructure. She quantified it by saying that last year the United States Computer Emergency Readiness Team (US-CERT) responded to 106,000 reports of cyber attacks. Even worse, Napolitano said she’s seen a trend of hackers increasingly targeting the nuclear and chemical industries. But the bigger problem, said Napolitano, is that those 106,000 incidents tracked by US-CERT were likely the tip of the iceberg.
She’s undoubtedly correct about only the tip of the iceberg being seen. To compare, web security firm Symantec published a report titled the Internet Security Threat Report Volume 17 earlier this year which indicated that it had counted “403 million new variants of malware” created in 2011.
That under-reporting of cyber attacks indirectly pointed to the problem that Napolitano and the DHS have. The DHS and law enforcement face a real uphill battle against cyber crimes. There are three reasons. First, these crimes often cross jurisdictional lines which means local law enforcement and even state law enforcement agencies often can’t effectively investigate and prosecute. Second, law enforcement (even the Feds) don’t generally have the budgets to maintain strong cyber-crime fighting divisions (although Napolitano says they have plans to change that by recruiting IT experts. Third, and this is probably the biggest challenge, is that the nation’s cyber infrastructure usually isn’t under the public domain.
As Napolitano told the ASIS crowd, “Private industry owns and operates the majority of critical infrastructure and cyber networks.” As a correlation, most of the leading IT/cyber security experts are working for commercial entities, not the government. Since the nation’s cyber networks are privately owned and operated, the federal government has its hands somewhat tied. It depends on the private sector to share the information about cyber attacks they are facing. Yet, the private sector is often loathe to do such a thing, for reasons such as privacy rights of its customers’ data and also because no company wants to be the one to raise its hand and say, “It’s me, I’m the one being hacked.” In fact, were they not compelled to do so, one would have to wonder how many companies might lose their customers’ data and simply not report the attack.
This challenge was why Napolitano spent a half hour on stage in front of the ASIS attendees. It was her job to be the missionary to convince the private sector to start working with the government better.
“The private sector needs to remove the barriers to sharing information with the government,” she told the audience, even as she also admitted that the government has its own work to do in terms of facilitating that sharing and clarify government mandates about sharing cyber security threat information. The private sector, said Napolitano, simply isn’t clear on whether they can share some of this information with DHS.
“Oftentimes people think it is public versus private, but we need to all work together.”