On November 8, CBS’s “60 Minutes” ran a segment on information security weaknesses called “Sabotaging The System.” This piece highlighted security vulnerabilities in segments of our nation’s critical infrastructure, including banking, power, and national defense. In addition, former and current government officials confirmed that the threats exist; not only are probes and attacks occurring with alarming frequency, but there have been numerous documented instances of successful penetrations into all three of these sectors. The potential impact of such attacks ranges from the theft of a few million dollars to large-scale power outages or compromise of military secrets. In short, our nation is faced with a significant set of risks, and I feel that “60 Minutes” did justice to the severity of the problem. It is clear that the United States has benefited greatly from the interconnection of computer systems but, at the same time, we place ourselves at great risk by leaving these systems unprotected. At the same time, the program was lacking with regard to solutions. There is nothing about these vulnerabilities that prevents them from being mitigated; IT security professionals solve similar problems every day. In this case, it is simply the scale of the problem that is most daunting. President Obama recently raised the issue and classified our nation’s critical digital infrastructure as a strategic asset. This is the first step along the lengthy road toward a more secure infrastructure, but it is important in that it allows the power of the federal government to be brought to bear. As it stands today, many of the requirements for both private industry and government are inconsistent, vague, and toothless. In the future, though, we will likely see increased regulation of these (and other) critical sectors. Regulation, though, is only part of the solution, and constriction of industry by over-regulation is a very real concern. By taking the initiative to combat vulnerabilities in their own environments, companies in these sectors can not only reduce the burden that eventual regulation will bring, but they can also demonstrate to regulators and lawmakers that they are taking the risk seriously. While that may be a novel approach for some, there will undoubtedly be benefits to swift action. Rather than waiting for government to force them to do something undesirable, businesses should revisit and re-architect their current approach to information security and risk management: examine the security framework that is used, alter how security is organized at the company, identify critical assets, analyze current controls, and finally mitigate vulnerabilities by implementing additional policies, processes, and technologies. There is no question that this sort of initiative will cost money but, in the long run, it will be money well spent.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
YouTube session cookie.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Discover why security operations teams choose NetSPI.