Skip Links

Volunteering falls short on threat information sharing

Pulling of nuclear plant security presentation highlights how government and private sector guard their threat and vulnerability information

By Taylor Armerding, CSO
November 06, 2012 07:50 AM ET

CSO - Critical infrastructure security apparently has its own version of Don't Ask, Don't Tell, despite calls in the public and private sector for better information sharing.

The year in security mischief making

And this one goes both ways. The private sector is not telling the government about its vulnerabilities, and government is also keeping threat and vulnerability information from the private sector.

Reuters reported last week that two scheduled presentations at the 12th ICS Cyber Security Conference about a nuclear power plant's possible vulnerabilities to cyberattacks were cut at the last minute, after an equipment supplier to the plant threatened to sue.

The unnamed vendor reportedly said the presentations would have revealed too much about its equipment, even though the plant's officials had approved the presentation.

The threatened suit was not an isolated instance. Those at the conference were also told that "a security firm that had uncovered the thousands of pieces of control equipment exposed to online attacks did not tell U.S. authorities where they were installed because it feared being sued by the equipment owners," Reuters reported.

On the public-sector side, conference attendees heard that the government has kept secret for five years a technique it discovered for attacking electricity generation equipment. That, the report said, meant that potential targets "had not realized they were vulnerable and therefore did not buy hardware needed to protect themselves."

As has been reported numerous times, information sharing between the private and public sector -- especially regarding the control systems of critical infrastructure -- was one of the things Congress had hoped to address with cybersecurity legislation. After the latest of those bills, the 2012 Cyber Security Act (CSA), failed to come to a vote in the Senate in August, President Obama has been signaling for months that he would seek to implement some of the same things by executive order.

A couple of drafts of that order have leaked, but it is expected to be issued only if the president wins a second term in today's election.

The Federal Times said the order "would direct agencies to share cyber threat information with companies operating critical infrastructure," but would only askprivate firms to share information with the government, although that request would come with some incentives.

While both political parties blame the other for the failure of legislation, both also say they agree on the need for information sharing. But at the present, it seems those in the private and public sector directly involved in infrastructure security don't think it's a good enough idea to actually do it.

[INDUSTRY VIEW: 4 factors for avoiding cyber espionage attacks]

The reasons, say experts, are both legal and economic. Marc Zwillinger, an attorney with the Washington, D.C. law firm ZwillGen, said: "Providing information to the government that causes a third party to lose significant business always creates liability risks. There's a possibility that either you are wrong, or that someone else will make it extremely expensive to prove that you are right, which may be crippling and distracting."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News