CISOs looking for guidance from the National Infrastructure Protection Plan (NIPP) released on June 30 by the Department of Homeland Security (DHS) may be scratching their heads for some time to come.
The final NIPP (.pdf), published after two earlier drafts were savaged by IT industry officials for downplaying the increasing risk from cyberattacks, at least glancingly mentions the imperative of protecting networks and servers. However, critics say that for what is intended to be a comprehensive risk management framework for the nation's infrastructure, details are skimpy and emphasis is lacking.
Thomas Lehner, director of public policy for the Business Roundtable, a lobbying group for Fortune 500 CEOs, said he was encouraged that the final NIPP included more references to cybersecurity. He cited document language basically stating that the interconnected and interdependent nature of the nation's critical infrastructure and key resources makes it problematic to address the protec¬tion of physical and cyber assets independently.
"The NIPP clearly incorporates cybersecurity; that is a plus," said John Sabo, director of security and privacy initiatives at CA Inc. Sabo is also president of the Information Technology Information Sharing and Analysis Center (IT-ISAC), a cybersecurity trade group.
But Sabo, Lehner and others worry that even though it is a significant improvement on the two previous versions, the final NIPP still has miles to go before CISOs can sleep peacefully.
For instance, Lehner said that while the NIPP makes the valuable "problematic to address…independently" statement, it never suggests avenues for merging physical and cyber protection.
Reconciling the two won't be any easy task, said Sabo, but that is what the 17 sector-specific councils are charged with doing in 180 days; that's the deadline for preparing individual infrastructure protection plans for the telecommunications, IT, financial service, chemical and other industries designated "criticial" by the DHS. These plans will be based on the NIPP and sanctioned and released by DHS, but issued as guidance, meaning compliance by companies will be voluntary. The key part of each of those sector specific plans will be a risk assessment of the possibility of a cyber or physical attack and an estimation of its effects.
Sabo argued, however, that it will be difficult for security pros in each industry to merge those two risk assessments, especially given the lack of specificity in the NIPP. "There is a complex web of issues which have not been dealt with in the NIPP," Sabo said.
For example, a dam -- and most physical assets -- are built to certain specifications in order to resist threats, such as a storm, of a specified magnitude. If the dam breaks, the result can typically be predicted. But if vulnerability in an operating system is exploited, the asset, i.e. the computer, is not damaged. Rather, there is a loss of functionality throughout a network, the extent of which cannot be predicted in advance.
Even others wonder whether the NIPP or the voluntary sector plans will galvanize the private sector in the absence of a top DHS official to spearhead an industry assault on cybervulnerabilities. Paul Kurtz, executive director of the Cyber Security Industry Alliance, is a key voice in this camp. He co-chairs the IT sector coordinating council (SCC) work group writing that sector plan.
While Kurtz said that the eventual IT sector specific plan can be valuable, even if compliance is not mandatory, he said the bigger need isn't for plans, but rather is for "an interlocutor who is in a position to effectively get things done." The DHS created a new position of assistant secretary of telecommunications and cybersecurity one year ago. It has remained vacant.
"It is appalling we don't have a person in that job yet," Kurtz said. The top cybersecurity official at DHS is Andy Purdy, acting director of the National Cyber Security Division at DHS. He reports to Robert Stephan, assistant secretary for infrastructure protection. Kurtz asserted that Purdy has little sway inside DHS or among private sector organizations.
Stephen Barlas is a freelance writer based in Washington D.C.