US industries: We take cybersecurity seriously

WASHINGTON, D.C. – While lawmakers decried a lack of concern in the U.S. about cybersecurity issues, representatives of the electricity, communications and other so-called critical infrastructure industries on Thursday said they take the potential for cyberattacks seriously.

Executives of companies in the electricity, communications, chemical and oil and gas industries told the U.S. House of Representatives Science Committee they have taken steps to protect against wide-scale cyberattacks, in some cases by setting up alternative networks not directly connected to the public Internet. Thursday’s hearing focused on how a wide-scale cyberattack would affect industries critical to the U.S. economy.

Industry assurances that they and other large companies understand cybersecurity threats stood in contrast to concerns raised by committee members. “We still pay inadequate attention to cybersecurity research and operations in both the government and private sector,” said Representative Sherwood Boehlert, a New York Republican and committee chairman. “We shouldn’t have to wait for the cyber equivalent of Hurricane Katrina to realize that we are inadequately prepared to prevent, detect and respond to cyberattacks.”

Industry representatives partially downplayed the potential for a large-scale cyberattack to interrupt critical services such as electricity and telecommunications because of networks that are separate from the public Internet. But as the oil and gas industry moves more of its technology controls to the public Internet, the potential for damage in a wide-scale cyberattack could increase, said John Leggate, chief information officer and group vice president of digital and communications technology at BP PLC, a major oil and gas company based in the U.K.

Currently, a major cyberattack would have a “moderate” effect on the oil and gas industry, because many companies’ control systems for functions such as pipelines are run over private networks, Leggate said. But after 2007 or 2008, when many petroleum companies will likely have moved their control systems to the public Internet, a wide-scale cyberattack could be “catastrophic,” he added.

Representatives of American Electric Power Company Inc., a provider of electricity to residents in 11 U.S. states, and SBC Communications Inc. also assured the committee that their main networks don’t now rely on the public Internet. The electricity industry is also working on sophisticated encryption technologies for use on the public Internet, added Gerald Freese, director of enterprise information security at American Electric Power.

“Cybersecurity is evolving rapidly, and all of us working in the field are tirelessly seeking more effective solutions to protect our assets,” Freese added.

The U.S. Department of Homeland Security (DHS) is also working hard to improve cybersecurity, added Donald “Andy” Purdy, acting director of the National Cyber Security Division at DHS. Purdy detailed a number of cybersecurity initiatives happening at DHS, including a national cybersecurity response system and a security threat and vulnerability reduction program.

A national cybersecurity response center, called US-CERT (Computer Emergency Readiness Team), was established in September 2003, Purdy noted, and the agency works with law enforcement and intelligence agencies to evaluate cyberrisks. DHS assisted with a classified report, released in February 2004, that identifies potential organizations capable of cyberattacks, he said.

But Representative Bart Gordon, a Tennessee Democrat, told Purdy that the DHS efforts were “simply not good enough.” Gordon referred to a U.S. Government Accountability Office report, released in May, saying DHS had not yet developed national cyber threat assessments or government and industry contingency recovery plans. Purdy promised a recovery plan document soon and a risk assessment by early next year.

“The disruptions and economic damages that could result from a successful cyberattack to one or more of our critical infrastructures could be substantial,” Gordon said. “And damage to water supply systems or chemical processing plants, for example, could also create life-threatening consequences.”

While many large companies now realize the importance of cybersecurity, implementation is often lacking, panelists said. Many companies are afraid to share their cybersecurity threat data with DHS for fear of it being released as a public document, Freese said.

Companies also need to more narrowly focus on the most important risk factors, added David Kepler, vice president of shared services and chief information officer at The Dow Chemical Co. “You can work on everything, and not be effective at anything,” he said.

Technology companies also need to work on creating more secure products, with security built-in instead of added on later, added Andrew Geisse, chief information officer at SBC. He gave cellular telephones and Wi-Fi as examples of technologies where security was an “afterthought.”

As the industry representatives offered advice for better cybersecurity, Boehlert complained that Supreme Court nomination hearings in the Senate attracted hundreds of journalists, while his hearing room had plenty of seats available. He asked the industry representatives to enlist their lobbying organizations in educating the rest of Congress about the importance of cybersecurity.

“We’ve got to focus on the importance of this subject,” he said. ‘In most quarters, it’s greeted with a muffled yawn. And yet you know, and you’re sharing with us, how important this is, and its potential impact on the entire economy.”