WASHINGTON -- While lawmakers decried a lack of concern in the U.S. about cybersecurity issues at a hearing Thursday, representatives of power, communications, and other so-called critical infrastructure industries said they take the potential for cyberattacks seriously.
Executives of companies in the electricity, communications, chemical, and oil and gas industries told the House of Representatives Science Committee that they have taken steps to protect against wide-scale cyberattacks. Some have even set up alternative networks not directly connected to the public Internet. The hearing focused on how a wide-scale cyberattack would affect industries critical to the U.S. economy.
Industry assurances that they and other large companies understand cybersecurity threats stood in contrast to concerns raised by committee members.
"We still pay inadequate attention to cybersecurity research and operations in both the government and private sector," said Representative Sherwood Boehlert, a New York Republican and committee chairman. "We shouldn't have to wait for the cyber equivalent of Hurricane Katrina to realize that we are inadequately prepared to prevent, detect and respond to cyberattacks."
Industry representatives downplayed the likelihood that a large-scale cyberattack would interrupt critical services because those networks are separate from the public Internet. But as the oil and gas industry moves more of its technology controls to the public Internet, the potential for damage in a wide-scale cyberattack could increase, said John Leggate, chief information officer and group vice president of digital and communications technology at BP, a major oil and gas company based in the U.K.
Currently, a major cyberattack would have a "moderate" effect on the oil and gas industry, because many of the control systems for functions such as pipelines are run over private networks, Leggate said. But after 2007 or 2008, when many petroleum companies will likely have moved their control systems to the public Internet, a wide-scale cyberattack could be "catastrophic," he added.
Representatives of American Electric Power, which provides electricity to residents in 11 states, and of SBC also assured the committee that their main networks don't now rely on the public Internet. The electricity industry is also working on sophisticated encryption technologies for use on the public Internet, added Gerald Freese, director of enterprise information security at American Electric Power.
"Cybersecurity is evolving rapidly, and all of us working in the field are tirelessly seeking more effective solutions to protect our assets," Freese added.
The Department of Homeland Security (DHS) is also working hard to improve cybersecurity, added Donald "Andy" Purdy, acting director of the National Cyber Security Division there. Purdy detailed a number of cybersecurity initiatives, including a national cybersecurity response system and a security threat and vulnerability reduction program.
A national cybersecurity response center, called Computer Emergency Readiness Team (US-CERT), launched in September 2003, Purdy noted, and the agency works with law enforcement and intelligence agencies to evaluate cyberrisks. Homeland Security assisted with a classified report, released in February 2004, that identifies potential organizations capable of cyberattacks, he said.
But Representative Bart Gordon, a Tennessee Democrat, told Purdy that the DHS efforts are "simply not good enough." Gordon referred to a Government Accountability Office report released in May that says DHS had not yet developed national cyber threat assessments or government and industry contingency recovery plans. Purdy promised a recovery plan document soon and a risk assessment by early next year.
"The disruptions and economic damages that could result from a successful cyberattack to one or more of our critical infrastructures could be substantial," Gordon said. "And damage to water supply systems or chemical processing plants, for example, could also create life-threatening consequences."
Words, Deeds Differ
While many large companies now realize the importance of cybersecurity, implementation is often lacking, panelists said. Many companies are afraid to share their cybersecurity threat data with DHS for fear of it being released as a public document, Freese said.
Companies also need to more narrowly focus on the most important risk factors, added David Kepler, vice president of shared services and chief information officer at Dow Chemical. "You can work on everything, and not be effective at anything," he said.
Technology companies also need to create more secure products, with security built in instead of added later, added Andrew Geisse, chief information officer at SBC. He gave cellular telephones and Wi-Fi as examples of technologies where security was an "afterthought."
As the industry representatives offered advice for better cybersecurity, Boehlert complained that Supreme Court nomination hearings in the Senate attracted hundreds of journalists, while his hearing room had plenty of seats available. He asked the industry representatives to enlist their lobbying organizations in educating the rest of Congress about the importance of cybersecurity.
"We've got to focus on the importance of this subject," he said. 'In most quarters, it's greeted with a muffled yawn. And yet you know, and you're sharing with us, how important this is, and its potential impact on the entire economy."