As Congress wrestles over cybersecurity legislation related to securing critical infrastructure and the electric power grid, arguments are surfacing on whether the power companies should handle any new federally mandated network protections or whether the U.S. government -- in particular the National Security Agency -- should be in the middle of it.
Some of these tensions, which usually remain behind closed doors in Washington circles, burst into the open this week with a Washington Post article that revealed how White House officials, on behalf of President Obama, have been issuing stern rebukes to NSA director Gen. Keith Alexander for what they say was his overstepping some boundaries in speeches arguing for more legal authority to defend the nation against cyberattacks.
At least one legislative proposal on Capitol Hill has advocated that power companies do continuous scanning with threat data provided by NSA and turn over any evidence of cyberattacks to the government, though critics call the idea obtrusive and a privacy violation.
The Feb. 27 Washington Post article quoted an unnamed White House administration official saying about Alexander, "We have had to remind him to at least be cognizant of what the administration's policy positions are, so if he's openly advocating for something beyond that, that is undermining the commander-in-chief."
Strong words, and at a panel at the RSA Conference this week on the topic of protecting the U.S. power grid, which is a sprawling geographic collection of interconnected grid segments primarily operated by private-sector companies, speakers expressed passionate views on the question of whether it's a good idea for the NSA to be involved in power-grid protection or not.
"I'm glad this has all come out. I'm on the side of the administration," commented Jason Healey, director of the cyber statecraft initiative at the Atlantic Council, a security think tank. He said if there's something really bad going on regarding power-grid cybersecurity, the NSA should declassify it. He wasn't in favor of the NSA monitoring the power grids directly.
Other panelists had a different view.
"This is not about protecting a super-secret interception system," said Stewart Baker, attorney at Steptoe and Johnson, who's had long-standing ties to the U.S. defense and intelligence community. "It is not, however, necessary for NSA to do all the monitoring."
But the NSA's abilities to fight cyberattacks coming in on a daily basis should be brought to bear for protecting the grid, Baker argued. "The only real operational fighters in this are the NSA. They feel great frustration that they should push string at this problem." They want to get out and do something to defend the nation's critical infrastructure against attack, he said.
In his talk on the RSA Conference panel, Baker discussed a survey sponsored by McAfee of power-grid operators around the world that showed a huge difference in how the English-speaking world of the U.S. and the United Kingdom treat regulation and security of power-grid operators versus Asian nations, such as China or Japan. Governments in Asian areas are much more involved in auditing security on their power grids that in the U.S. and the U.K.
"Should we move closer to the model we see in Asia? Or are we happier with the model we have here?" Baker said in his presentation.
A third panelist, Kevin Gronberg, senior counsel on the U.S. House Committee on Capitol Hill, sought to explain the complexities and turf wars of the debate, especially from the Republican viewpoint, which he said has favored more of a hands-off approach, an "extremely light touch," defining cybersecurity defense procedures to the power-generating companies.
"Regulation is not favored by our caucus in the House," he said, adding that there's the expectation that the private sector and the owners and operators should handle this since they know their networks. He said the National Institute of Standards and Technology (NIST) can define standards and help these power-grid operators. On the other hand, he also noted there are some Republicans who don't share this hands-off approach to grid cybersecurity.
Baker said there is a battle within the Republican Party on the issue. But he made it clear that he thinks that the "smart grid" initiative in which billions are now being invested to enable new capabilities and presumed efficiencies in electricity delivery and billing through new communications down to the house level are being done without sufficient security, and increasing risk.
The smart grid effort, he says, represents "$50 billion in the U.S. in technology that will arguably make the grid less secure." He said the potential for cyberattacks on the U.S. power grid is very real.
Panelist, Donna Dodson, division chief, computer security division, NIST, acknowledged there's evidence of more hacker interest in going after the power grid with tools such as ShowDad that can display Internet-facing components of industrial-control system. "There's an increase in free tools available focusing on industrial control systems. And greater hacker interest."
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.