President Barack Obama’s executive order calling for increased information sharing between the federal government and private companies to protect the nation’s critical infrastructure against cyber-attacks is a good first step, despite concerns about government regulation and data privacy, experts said.
The order, an alternative to legislation Obama hoped Congress would pass last year, shows that “business is getting fed up with the fact that we are not moving to deter and block these threats fast enough,” said Bob Butler, chief security officer and senior vice president of IO, a Phoenix-based data center services firm with an office in Miamisburg.
Butler served from 2009 to 2011 as the U.S. Deputy Assistant Secretary of Defense for Cyber and Space Policy, and worked with the White House and Department of Homeland Security to draft the cyber-threat legislation that became the basis for Obama’s executive order. He will be a keynote speaker Wednesday at Technology First’s 10th annual Ohio Information Security Conference at the Sinclair Ponitz Center in Dayton.
“From a business standpoint, we don’t want a heavily regulated environment,” Butler said. “We want to try to create incentives to allow public and private sector partnerships to grow naturally, but to grow with increased momentum. So it’s not just information sharing, but threat sharing and threat mitigation sharing.”
Obama last month assigned the National Institute of Standards and Technologies to develop a framework for voluntary information sharing in an effort to stem possible attacks against the nation’s utilities, traffic control systems and financial centers.
Several days later, cyber forensics firm Mandiant revealed that a Chinese military hacking group has stolen large amounts of data from 115 U.S. organizations and companies since at least 2006.
“Virtually everything is now so interconnected that the vulnerabilities can come from almost any direction,” said Mateen Rizki, chair of Wright State University’s Department of Computer Science and Engineering.
Rizki called Obama’s order a good first step, but said some companies may be reluctant to share information about their networks. “The dissemination of solutions is difficult when you don’t have openness. When you have some framework for cooperation you can start to make headway,” he said.
Organizations can patch and defend against known vulnerabilities, but a lack of awareness allows cyber thieves to exploit those problems, said Scott Campbell, Miami University School of Engineering and Applied Science’s director of technology, and an instructor in computer science.
Campbell said some of the computer systems that control the nation’s power grids, water supplies and telecommunications networks are outdated and potentially vulnerable. Replacing the still-functional systems can be costly, so companies often will install mediation devices such as a modern computer in front of the system to increase security, “without really making the underlying system secure,” he said.
“Critical infrastructure needs to be hardened and you see in the cyber executive order the government’s attempt to try to encourage that,” Butler said.
Major southwest Ohio employers including Wright-Patterson Air Force Base and GE Aviation are well prepared to defend against cyber-attacks, but small companies could be at higher risk, Campbell said. “That’s what concerns me, is how easy large-scale attacks are against these tier-two targets. That just could be so disruptive,” he said.
Butler praised the efforts of the region’s federal and academic institutions to strengthen national cyber security, as well as to educate and inspire young people to pursue careers in the field.
The Air Force Institute of Technology, the Air Force’s post-graduate education and research school at Wright-Patterson Air Force Base, teaches courses in offensive and defense cyber-warfare techniques. AFIT’s Center for Cyberspace Research has been designated by the Air Force as its cyberspace technical center of excellence.
Wright State University’s College of Engineering and Science last fall launched a master’s degree program in cyber security. Rizki said the school is developing articulation agreements with Sinclair and Clark State community colleges, and also discussing a cooperative agreement for training at the Advanced Technical Intelligence Center for Human Capital Development’s secure facility in Beavercreek.
In addition, Wright State’s Institute of Defense Studies and Education offers a number of certificate programs in secure software development and cyber security.
“I think you have a collection of institutions and people that could actually become even a greater force in this area, and reaching next generation, if we can find a way to work together,” Butler said.
How to go
What: Ohio Information Security Conference
When: Wednesday from 7:45 a.m.-5 p.m.
Where: Sinclair Community College Ponitz Center, 444 W. Third St., Dayton
Cost: $150 for members; $175 for non-members; $75 for students
Registration: Call 9937) 229-0054 or visit technologyfirst.org