The list of critical infrastructures in the United States that if successfully hit by a cyber attack could result in a serious blow to national, economic and public health security is small, according to a Department of Homeland Security (DHS) official.
A preliminary evaluation of these critical infrastructures, as called for in an Executive Order issued by President Barack Obama in February, has been delivered to the White House, Robert Kolasky, director of the Implementation Task Force for the executive order within the DHS National Protection and Programs Directorate, told the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection.
.jpg) |
| U.S. Capitol |
Kolasky said the task force worked with all 16 critical infrastructure sectors, identifying the critical functions that each produces and how they relate to cyber security. He said that the task force is still in the process of identifying those infrastructures where an attack could be catastrophic to the nation’s security, noting that it is a “relatively small list.”
The list was not disclosed.
The executive order called for greater information sharing between the federal government and private sector about cyber security threats and directed the National Institute of Standards and Technology (NIST) to coordinate an effort to bring together existing best practices and standards for improving the cyber security posture of the private sector. The Cybersecurity Framework, which is in development, is meant to be a voluntary set of standards that companies and organizations can draw from.
The groups that are on the list of critical infrastructures are in a good position regarding their security posture, Kolasky said. DHS already has relationships with these entities and “We’ll work with them to identify risk management approaches and federal resources to support them but we are confident that they have taken the cyber security problem very seriously and that they have gone a long way in mitigating their vulnerabilities,” he said.
Kolasky also said that DHS has delivered a number of other reports and items to the White House as called for in the executive order. One is a report on potential government incentives to encourage adoption of the Cybersecurity Framework that NIST is working on.
Incentives, such as liability protections for private sector entities that adopt the framework, are expected to be part of congressional legislation on cyber security, although so far none has been approved by the Congress.
Another report deals with how to expand an existing cyber threat sharing program between DHS and the private sector, called the Enhanced Cybersecurity Services program, to include all critical infrastructure sectors. Yet another report provides recommendations on the ease and benefits of incorporating cyber security standards into acquisition planning and contract administration.
Kolasky said that next up DHS will be focusing efforts on developing a draft research and development plan for National Critical Infrastructure Security and Resilience and working to enhance near real-time situational awareness for critical infrastructure, “with a particular focus on multi-directional information sharing and understanding of interdependencies between physical and cyber systems and critical infrastructure sectors.”
Kolasky and Charles Romine, director of the Information Technology Laboratory at NIST, emphasized that the Cybersecurity Framework is, and will be, a voluntary set of standards that the private sector can adopt. However, Rep. Patrick Meehan (R-Pa.), the chairman of the subcommittee, raised concerns that the framework could ultimately be the first step toward mandatory regulations.
Romine said that the private sector has been very supportive of the framework coordination process. However, various industry officials publicly and privately continue to voice concerns that the federal government will eventually impose cyber regulations across the nation’s critical infrastructures.