In testimony before the U.S. House Intelligence Committee last week, Admiral Michael Rogers, Director of the National Security Agency and Commander of U.S. Cyber Command, provided a stark assessment of the current cyber threat environment with respect to critical infrastructure and, in particular, industrial control systems. "It is only a matter of the when, not the if, that we are going to see something dramatic," Rogers told the committee, explaining that the U.S. is not yet prepared to handle such a threat.
Admiral Rogers cited instances of intrusions into industrial control systems, which are fundamental to water, power, financial and aviation infrastructure across the nation. According to Rogers, it appears that nation-states and others are conducting reconnaissance to better understand our systems so they can, if they choose, exploit any vulnerabilities. When asked about the capabilities of these bad actors, Rogers responded that, "[t]here shouldn't be any doubt in our minds that there are nation-states and groups out there that have the capability to do that." If successful, Rogers noted, parts of U.S. critical infrastructure could be shut down. Currently, there are 16 critical infrastructure sectors that have been identified by the U.S. government. These include the nation's water, power, transportation, communications and financial services sectors.
Rogers also highlighted the "coming trend" of increased cyber attacks on mobile devices. These devices, which are difficult to secure, could become entry points to larger, more sensitive government or corporate networks. In addition, Rogers warned of rising coordination between cybercriminal groups and foreign governments. This coordination could obscure the source of an attack, making attribution and response much more difficult for the U.S. Intelligence Community.
During his testimony, Rogers reiterated his case for a stronger partnership between the government and private sector to defeat cyber threats to critical U.S. infrastructure. He emphasized the importance of proactive sharing relationships between the private sector and government, in which "the insights of one now come to the aid of many" by sharing information about potential threats and capabilities.
Admiral Rogers applauded work being done in Congress to improve the U.S. cyber posture and stressed the necessity for a legal framework that allows the rapid exchange of information between the private sector and government — and provides liability protection and safeguards privacy interests. The Cybersecurity Information Sharing Act (S. 2588), which would promote better sharing of cyber threat information by providing liability protection, was reported overwhelmingly by the Senate Intelligence Committee and remains pending in the Senate, although hopes of consideration during the lame duck are dwindling.
As the U.S. government and private sector continue to experience more cyber attacks and growing threats, cybersecurity legislation is expected to be a primary focus of the incoming Congress. This legislative effort is likely to include a number of different bills and could impact how companies, of all sizes and across all sectors, respond to or try to prevent or mitigate cyber threats. Any company that operates or transacts business using information technology systems or networks has a stake in this legislative effort and should monitor all cyber legislation closely this year and into 2015. These companies should also ensure that they develop, implement and maintain strong policies and procedures that work to secure sensitive information while protecting privacy.