“Honestly, it’s disconcerting that the bad guys are ahead of the good guys,” says Lohrmann, who became one of the nation’s first state chief information security officers in 2002, when he was tapped for that job in Michigan. “It seems like the bad guys are more organized and united in their goal, which is to take advantage of our lack of unity and coordination.”
The latest lack of unity occurred over the Cyber Security Act of 2012, which would have created cybersecurity standards for the companies that run critical infrastructure like the power grid, gas pipelines, and water and transportation systems. The measure, backed by Sens. Joseph Lieberman and Susan Collins, sought to improve sharing of cyberthreat information between government and private industry. But even a highly watered-down final version of the bill couldn’t overcome opposition from business groups, which protested the expense of new regulations, and privacy advocates, who feared “big brother” surveillance of online activities. The act couldn’t muster the necessary 60 votes in the U.S. Senate before lawmakers left Washington, D.C., in early August, meaning federal cybersecurity rules probably won’t be addressed until next year.
Lohrmann, who now oversees all cyber and physical security for Michigan state government, won’t take political sides on the latest measure. But he’s adamant -- as are most other security professionals -- that more must be done to protect the nation’s critical infrastructure from attack.
A generation ago, dams, water systems, power plants and other vital facilities were operated manually. Today they’re controlled by computer networks that could be targets for increasingly sophisticated cybercriminals or terrorists. And of course much of the nation’s commerce relies on the Internet and related systems. Until cybersecurity standards are in place, security professionals worry that terrorists could shut down large swaths of the U.S. economy with the click of a mouse.
As an operator of critical systems, Lohrmann says Michigan is concerned about unfunded security mandates. But he equates reasonable cybersecurity standards with safety rules enforced on highways and other pieces of traditional infrastructure. “We need to have legislation; we need clear guidance in this area,” he says.
Another issue begging for clarity is how governments and private industry should share information about cybersecurity threats. Most security pros say that in order to strengthen cybersecurity, companies and government organizations need to inform one another about the types of threats they’re seeing.
Right now, the rules for doing that are muddy, at best, Lohrmann says. “What can be shared before, during and after a cyber event? What level of trust is in place? What information is subject to the Freedom of Information Act? We need common rules on this stuff.”
In the absence of clear guidelines, organizations tend to share less information rather than more -- and the sharing that does occur tends to be driven by personal relationships. In other words, you talk to the people you know and trust, and shut out those you don’t. Where that really hurts is in critical exchanges between various sectors of the economy. For instance, energy companies or transportation companies do rather well at sharing threat information among others in their industry. But formal rules are necessary if cyberthreat information is going to flow between industries.
“Stovepipes are sharing with stovepipes,” Lohrmann says. “The problem is cutting across those.”
Despite the latest setback, he remains optimistic that a bipartisan cybersecurity bill eventually will become law. And ultimately, you get the feeling that this issue is quickly becoming too big to ignore. Let’s just hope Congress figures it out while the lights are still on.