Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Cyber Security Act’s Failure Leaves Infrastructure Vulnerable

Some worry terrorists could shut down the economy with the click of a mouse.

Dan Lohrmann has been in the information security business for the bulk of the past decade, and he’s scratching his head over the continued inability of Congress to enact nationwide cybersecurity protections.

“Honestly, it’s disconcerting that the bad guys are ahead of the good guys,” says Lohrmann, who became one of the nation’s first state chief information security officers in 2002, when he was tapped for that job in Michigan. “It seems like the bad guys are more organized and united in their goal, which is to take advantage of our lack of unity and coordination.”

The latest lack of unity occurred over the Cyber Security Act of 2012, which would have created cybersecurity standards for the companies that run critical infrastructure like the power grid, gas pipelines, and water and transportation systems. The measure, backed by Sens. Joseph Lieberman and Susan Collins, sought to improve sharing of cyberthreat information between government and private industry. But even a highly watered-down final version of the bill couldn’t overcome opposition from business groups, which protested the expense of new regulations, and privacy advocates, who feared “big brother” surveillance of online activities. The act couldn’t muster the necessary 60 votes in the U.S. Senate before lawmakers left Washington, D.C., in early August, meaning federal cybersecurity rules probably won’t be addressed until next year.

Lohrmann, who now oversees all cyber and physical security for Michigan state government, won’t take political sides on the latest measure. But he’s adamant -- as are most other security professionals -- that more must be done to protect the nation’s critical infrastructure from attack.

A generation ago, dams, water systems, power plants and other vital facilities were operated manually. Today they’re controlled by computer networks that could be targets for increasingly sophisticated cybercriminals or terrorists. And of course much of the nation’s commerce relies on the Internet and related systems. Until cybersecurity standards are in place, security professionals worry that terrorists could shut down large swaths of the U.S. economy with the click of a mouse.

As an operator of critical systems, Lohrmann says Michigan is concerned about unfunded security mandates. But he equates reasonable cybersecurity standards with safety rules enforced on highways and other pieces of traditional infrastructure. “We need to have legislation; we need clear guidance in this area,” he says.

Another issue begging for clarity is how governments and private industry should share information about cybersecurity threats. Most security pros say that in order to strengthen cybersecurity, companies and government organizations need to inform one another about the types of threats they’re seeing.

Right now, the rules for doing that are muddy, at best, Lohrmann says. “What can be shared before, during and after a cyber event? What level of trust is in place? What information is subject to the Freedom of Information Act? We need common rules on this stuff.”

In the absence of clear guidelines, organizations tend to share less information rather than more -- and the sharing that does occur tends to be driven by personal relationships. In other words, you talk to the people you know and trust, and shut out those you don’t. Where that really hurts is in critical exchanges between various sectors of the economy. For instance, energy companies or transportation companies do rather well at sharing threat information among others in their industry. But formal rules are necessary if cyberthreat information is going to flow between industries.

“Stovepipes are sharing with stovepipes,” Lohrmann says. “The problem is cutting across those.”

Despite the latest setback, he remains optimistic that a bipartisan cybersecurity bill eventually will become law. And ultimately, you get the feeling that this issue is quickly becoming too big to ignore. Let’s just hope Congress figures it out while the lights are still on.

Caroline Cournoyer is GOVERNING's senior web editor.
Special Projects
Sponsored Stories
In recent years, local governments have been forced to adapt to a wildly changing world, especially as it pertains to sending bills and collecting payments.
Workplace safety is in the spotlight as government leaders adapt to a prolonged pandemic.
While government employees, students and the general public had to wait in line for hours in the beginning of the pandemic, at-home test kits make it easy to diagnose for the novel coronavirus in less than 30 minutes.
Governments around the nation are working to design the best vaccine policies that keep both their employees and their residents safe. Although the latest data shows a variety of polarizing perspectives, there are clear emerging best practices that leading governments are following to put trust first: creating policies that are flexible and provide a range of options, and being in tune with the needs and sentiments of their employees so that they are able to be dynamic and accommodate the rapidly changing situation.
Service delivery and the individual experience within health and human services (HHS) is often very siloed and fragmented.
In this episode, Marianne Steger explains why health care for Pre-Medicare retirees and active employees just got easier.
Government organizations around the world are experiencing the consequences of plagiarism firsthand. A simple mistake can lead to loss of reputation, loss of trust and even lawsuits. It’s important to avoid plagiarism at all costs, and government organizations are held to a particularly high standard. Fortunately, technological solutions such as iThenticate allow government organizations to avoid instances of text plagiarism in an efficient manner.
Creating meaningful citizen experiences in a post-COVID world requires embracing digital initiatives like secure and ethical data sharing, artificial intelligence and more.
GHD identified four themes critical for municipalities to address to reach net-zero by 2050. Will you be ready?