Cybersecurity for the Nation’s Infrastructure and Financial Institutions

Cyberattacks, and the damage they cause, are not limited to national security space systems. Financial markets and institutions, the nation’s power grid, national and local government institutions and facilities, transportation networks, and individuals are among those that have experienced cyberattacks. Symantec Corporation, the largest maker of security software for computers, reported in July 2011 that cyberattacks are increasing and becoming more and more sophisticated, potentially harming financial and economic systems, costing business, governments, and individuals throughout the world billions of dollars annually. A White House 2009 fact sheet stated that the nation’s infrastructure—electricity grid, financial sector, and transportation networks—“suffered repeated cyber intrusions, and cyber crime has increased dramatically over the last decade.” In June 2011, Secretary of Defense and former CIA Director Leon Panetta reported to Congress that the next great battle America faces is likely to involve cyber warfare that cripples America’s electricity grid and its security and financial systems. As recently as January 2012, President Obama identified “cybersecurity as one of the most serious economic and national security challenges” the country is facing.

The financial industry is especially vulnerable to cyberattacks. In 2010 the Nasdaq Stock Market, which CEO Robert Greifeld said is under constant attack every day, put in place security measures after hackers broke into its parent company’s (Nasdaq OMX Group) service where corporate officers share confidential documents. Individuals and businesses using online banking have increasingly experienced thefts, particularly through viruses infecting their computers. Reuters reported in October 2011 that the U.S. National Security Agency has begun providing Wall Street banks with intelligence on foreign hackers. Cyberattacks regularly threaten worldwide stock exchanges, which also jeopardizes the ongoing business of U.S. financial institutions and individuals. In 2010 the London Stock Exchange experienced an attack at its headquarters and allegedly was under intense attack when it attempted to upgrade its trading systems. The exchange now cooperates closely with British security services, which has warned that cyberattack is one of the biggest threats to the country. The Hong Kong Exchanges and Clearing group in August 2011 stopped trading in stocks of seven companies for half a day after a “malicious attack” by hackers on its Web site. And on January 16, 2012, the Web sites for the Tel Aviv Stock Exchange and El Al national airline were brought down for hours because a hacker group targeted the sites, although the attack did not affect trading or flight operations. These are but a few examples that illustrate the growing threat of cyber terrorism, which could possibly destabilize an entire business sector and cost it billions, interfere with its operations and business with customers, and threaten its intellectual property.

Electricity production and distribution companies regularly face probes and assaults. A few of the many cyberattacks in the recent decade include the April 2009 spy infiltration of the U.S. electric grid that allegedly left behind software that could be used to disrupt the system, and the August 2003 infection of the “Slammer” worm in the Davis-Besse nuclear power plant in Ohio, causing a five-hour shutdown of computer systems. Andy Bochman, IBM Rational’s lead who focuses on “smart-grid” security software, as well as being founder of the DOD Energy Blog, said as of September 2011 the nation’s electric utilities were about where the financial and telecommunications industries were a decade ago in protecting against hackers. According to Bochman, the smart grid is vulnerable to cyberattack but can keep the electrical system more secure because it will sense trouble earlier and send in cyber experts to protect data as well as divert power around trouble
spots. Although the electrical sector has been late in the game when it comes to embracing information technology that focuses on security, it is catching up.

Title XIII of the Energy Independence and Security Act of 2007 established the development of the smart grid as national policy, which, among other goals, called for “increased use of digital information and controls technology to improve reliability, security, and efficiency of the electric grid.” The Massachusetts Institute of Technology study report “The Future of the Electric Grid” cited grid cybersecurity as an important concern for society at large as well as for individual companies. It warned that the expanded use of new communications, sensing, and control systems throughout all levels of the electric grid will introduce new cybersecurity risks and challenges. Ongoing cybersecurity standards development processes are critical to securing the grid, but the report said that finding the approach that balances risk, impact, and cost will be a challenge for industry and government alike. The MIT study report recommends a single federal agency to protect the U.S. electrical grid from cyberattacks. Multiple regulatory and legislative bodies currently regulate the grid.

“Rigorous testing of individual system components, complemented by integrated systems, can help mitigate cybersecurity risks and develop better system responses when vulnerabilities are breached,” the report said. One notable government effort underway is the national SCADA (supervisory control and data acquisition) testbed program set up by the Department of Energy. The “Aurora” experiment in 2007 discovered a weakness that would have “enabled hacking into electric power control systems with potentially disastrous results.” The report emphasized the importance of ongoing component and systems testing, especially because of rapid changes in cybersecurity risk as grid technologies develop and the “complex and quickly evolving technologies, systems, and security policies of the modernizing grid.”

The White House and Congress have regularly considered the urgency of protecting the nation against cyberattacks: a 60-day White House review of U.S. policies for cybersecurity in 2009 recommended 10 actions for developing strategies and policies for managing cybersecurity. In December 2011, the administration issued a strategy for federal cybersecurity research and development, and as recently as January 2012, the White House and the Department of Homeland Security met with industry leaders to discuss a new initiative to “further protect the electric grid from cyber risks.” The Senate and House have introduced separate bills for national cybersecurity legislation, but concerns about overregulation as well as freedom of the Internet have made passage problematic. Technewsworld.com, an online technology news site, reported in January 2012, however, that recent consensus between the administration and Congress on the urgent need for protecting the nation’s infrastructure seems to indicate some cybersecurity legislation will pass this year.
— Donna Born

Return to the Spring 2012 Table of Contents

Go to main article: Meeting the Cyber Challenges of Tomorrow