The U.S. House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies had another panel/hearing on “Examining the Cyber Threat to Critical Infrastructure and the American Economy”.

This link has the video of Chairman Lungren’s opening statement and links to the full text of the witnesses’ testimony. Chaiman Lungren could not have appeared more bored or perfunctory in his welcome and reading of his remarks, although he was sick so maybe that is the excuse. But why shouldn’t he be bored? We really don’t need more of these shows of how Congress is taking the problem seriously. It is not unique to this issue though. Just the way that Congress works.

The panelist this time were:

  • Philip Reitinger of DHS
  • Greg Wilshusen of GAO
  • James Lewis of CSIS
  • Phyliss Schneck of McAfee
  • Mischel Kwon of Mischel Kwon Associates

Since the video was not posted, or at least not found by me, all that was left was the written statements which are much longer than the live testimony. You also miss the Q&A from the House members. This really tells you who is engaged and up to speed and who isn’t. For example a recent Senate hearing had Sen. Lieberman asking tough and interesting questions and Sen. Collins asking “How vulnerable is the critical infrastructure to cyber attack?”

Skimming the 12 pages of DHS testimony found it to be a rehash of all the DHS efforts in the ICS security space. Nothing terribly new there, but a nice overview for those unfamiliar with DHS efforts.

The GAO testimony, much better viewed on this link, co-mingled “threats to systems supporting critical infrastructure and federal information systems” and even included identity theft and financial fraud. There was little on ICS except a nod to their January ’11 smart grid paper that talked about deficiencies in NIST and FERC efforts. Most of the testimony was in the vein of “GAO recommended this and it has not yet been accomplished”, and much of the items were high level strategy items.

Then the private industry panel took over, and these witnesses are usually more interesting. James Lewis testimony starts off with 12 serious cybersecurity incidentns since Jan ’10, but only one, of course Stuxnet, was ICS related. At this point I look back at the hearing title and see “and the American Economy” so non-ICS issues are in scope. But it is a mistake to lump these together.

Lewis writes, “Two of our potential military opponents have the capability to launch damaging cyber attacks against America’s critical infrastructure”. I assume he means Russia and China, but the number should be much larger. The cost and number of talented people required to do this is small.

Then he makes a bold statement that contradicts my last sentence, which is why private panelists are more interesting:

Terrorists lack the capability to launch cyber attacks.  If they had this capability, they would have already used it.  Our original emphasis on “cyber terrorism” was wrong.  The day a terrorist group gets cyber attack capabilities, they will use them.

Lewis then goes on to make the case for regulation and the involvement of “the pro’s” from various government organizations. He talks about the lack of a business driver for utilities to secure systems, and the failure of banks and high tech, such as Google or Intel, to secure their networks even with a large monetary reason and better talent to do it. Not in line with our thinking at Digital Bond, but a well argued position.

Phyllis Schneck didn’t touch much on ICS, instead focusing on what McAfee is doing and Night Dragon / Aurora – not the electric Aurora. She did put in a plug for the public/private partnership.

Mischel Kwon was the Director of US-CERT for about a year and her testimony was primarily on the problems with DHS structure and US-CERT. She was clear that she thought cyber security belonged in DHS even with all the problems.

So after all that reading/skimming, not much on the critical infrastructure. It would be interesting to learn what the House members focused on, but my overall conclusion is we don’t really need more of these hearings.

Image by Tambako the Jaguar