Michael D. Moberly February 15, 2013
To perhaps better appreciate the necessity for the current escalation of national cyber-security initiatives and the associated Presidential Directive, Congressional hearings, lobbying, and blogosphere pros and cons, etc., it’s important to understand the U.S.’s critical infrastructure sectors are distinctive in comparison to numerous other countries, i.e., the European Union for one. Throughout the EU, much, if not all of the operation, oversight, management, and protection/security responsibilities of their critical infrastructure sectors remain largely in the hands of relevant government entities.
In the U.S., on the other hand, the 18 critical infrastructure sectors, as identified by DHS, have been sliced and diced so many different ways and by so many different (private sector) companies, I’m quite confident that sharing/communicating in a timely manner (a.) a company’s cyber risks, threats, and vulnerabilities, and (b.) the increasingly probable probes, attacks, and breaches they experience will not, at least initially be a very ‘comfortable’ process due in large part to (c.) potential liability exposure and reputation risk, and (d.) the extraordinary value such information would present to any adversary should they access/acquire it.
One strategy which I suspect may be more palatable for c-suites and boards insofar as the detailed ‘sharing’ of incidents is recognizing the extraordinarily costly and quite possibly irreversible reputation risks that will inevitably follow should they elect to opt out, be dismissive of, or merely not comply, in principle or in spirit, with the Presidential Directive. Of course, that will exacerbate many times over should they fall prey to an adverse cyber event that would cascade beyond the confines of a single company to infect an entire (infrastructure) sector.
One reality shared by numerous company’s I’m familiar, along with their c-suites, boards, and legal counsel is that under most circumstances, unless literally mandated to do otherwise, it is seldom in their interest for a variety of reasons, particularly among globally operating companies which strive to sustain amicable trading – transaction relationships, to be overly ‘public’ about victimizations, unless of course, it is a mandated (legal) requisite that is actually enforced.
Actually safeguarding U.S. national (critical) infrastructure sectors’ from cyber acts/events, carries some significant challenges because (a.) in most instances, a physical and digital interdependence and inter-connectivity exists in and between sectors which require high levels of collaboration and sharing, (b.) there are different organizational and operating structures in the various companies which will inevitably complicate the compilation of the data/information (c.) some critical infrastructure sector companies have multi-national ownership, (d.) c-suites and boards will inevitably interpret the Presidential Directive as an additional fiduciary responsibility whose scopes reaches well beyond the bare essentials and/or minimums versus utilizing known best practices or standards.
Initially, when I and many of my then university-based colleagues applied the terms ‘national critical infrastructure’, in the mid-to-late 1980’s, they were referred to as ‘pillars’ and consisted of only nine in number. Today, the Department of Homeland Security has refined and extended that number to eighteen and refers to them as infrastructure sectors, i.e.,
- Food and agriculture
- Banking and finance
- Commercial facilities
- Critical manufacturing
- Emergency services
- Defense industrial base
- Government facilities
- Information technology
- National monuments and icons
- Nuclear reactors including materials and waste
- Postal and shipping
- Transportation systems, and
I, along with numerous colleagues experienced in the information (intangible) asset protection and economic espionage arena have long realized it is challenging to (a.) create an environment and/or the necessary (company) culture in which (b.) timely detection of adversary probing and/or system compromise or asset theft occurs. It’s even more challenging to assemble such data and portray it in quantifiably reliable, ‘dollar contexts’.
On a cautionary note however, the public domain is chock-full of variously corroborated anecdotes, all well earned, of state-sponsored entities engaged in, for the most part to date, relatively low level and non-cascading cyber attacks, aside of course, from the theft of proprietary information and intellectual capital. I believe it’s reasonable to suggest, that in a number of critical infrastructure sector c-suites and boardrooms, there may be a predisposition, again, well earned, to assign (assume) any offensive cyber probing, attacks, and/or breaches to particular state-sponsored entities or otherwise emanating from specific countries.
The fact is, the catalog of potential culprits possessing both the means and motives to engage in cyber attacks has expanded into the realm of well taught and under-the-radar ‘legacy free players’ globally. So, I would respectfully add that critical infrastructure sector companies may exercise prudence in assuming those ‘handful’ of state-sponsored actors are the only ‘players’ in this extremely high stakes circumstance.
My blog posts are researched and written by me with the genuine intent they serve as a worthy and respectful venue to elevate awareness and appreciation for intangible assets throughout the global business community. Most of my posts focus on issues related to identifying, unraveling, and sustaining control, use, ownership, and monitoring asset value, materiality, and risk. As such, my blog posts are not intended to be quick bites of information, unsubstantiated commentary, or single paragraphed platforms to reference other media.
Comments regarding my blog posts are encouraged and respected. Should any reader elect to utilize all or a portion of any of my posts, attribution is expected and always appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance or business transaction. I always welcome your inquiry at 314-440-3593 or firstname.lastname@example.org