Is the U.S. prepared for cyber war or are we sitting ducks?

Is the U.S. prepared for cyber war or are we sitting ducks?

Before I say anything at all, please eyeball this quote from 60 Minutes by Admiral Mike McConnell, previously chief of national intelligence who oversaw CIA, DIA, and NSA, regarding the cyber terrorism and the US electricity infrastructure:

"If I were an attacker and I wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer, and I probably would sack electric power on the U.S. East Cost, maybe the West Coast, and attempt to cause a cascading effect. All of those things are in the art of the possible from a sophisticated attacker," McConnell explained.

"Do you believe our adversaries have the capability of bringing down a power grid?" Kroft (60 Minutes) asked.

"I do," McConnell replied.

This interview falls on the heels of my blog of June 9 about NERC CIP security  "Here's a better idea for security of the nation's electric grid (title courtesy of my  Network World publisher) ."

Asked if the U.S. is prepared for such an attack, McConnell told Kroft, "No. The United States is not prepared for such an attack." White House web page.   Now the House of Representatives has passed a bill aimed at hardening the cyber security policies of the US Government and involves the Federal Information Security Management Act, (FISMA).  In turn, FISMA has an impact on NERC CIP.

Security of the electrical infrastructure is also mentioned  in most recent Cyberspace Policy Review on the

Increase the Carrot and the Stick for NERC CIP Compliance

While I read about "strong centralized oversight" and "update our comprehensive policy" I do not read anywhere about enforcement or funding compliance for NERC CIP.  We all know there can be huge gaps between policy and implementation, and similarly between oversight and enforcement.

It takes a lot of dollars to convert a demanding security policy into a desired security state.  Similarly it takes consistent enforcement of policy including penalties for compliance violations in order to rationalize the existence of oversight.

There are lots of comments about my previous blog regarding both the pros and cons of my suggestion for a bigger stick for  enforcing NERC CIP compliance.  In my comments I stuck to my guns.

Last night Pres Obama made a  speech to the nation about the BP oil spill.  One of his three central points dealt with preventing a future oil spill disaster.  Today the President  told BP to allocate billions of dollars to reimburse those who suffered as the result of BP's oil spill. 

Perhaps now is the time to take similar action and allocate funds and sticks to prevent an electrical grid cyber disaster.

Have a safe week.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.