Under a bill sponsored by Sen. Joe Lieberman, I-Conn., certain companies operating the nation's electric grid, water supply and other critical systems would have to meet cybersecurity standards approved and enforced by DHS and share with the government all instances when they come under cyber attack. (File photo / Getty Images)
Lawmakers are debating whether to empower the Department of Homeland Security to regulate the security of some privately owned information networks. But even if Congress passes such a bill, many experts question whether the department has the resources and expertise to handle the job.
Under a bill sponsored by Sen. Joe Lieberman, I-Conn., certain companies operating the nation's electric grid, water supply and other critical systems would have to meet cybersecurity standards approved and enforced by DHS and share with the government all instances when they come under cyber attack.
If Congress approves handing DHS a stronger regulatory role, the department likely would take some cues from other agencies serving in similar roles, such as the Nuclear Regulatory Commission (NRC), said a DHS official, who asked not to be named because the legislation is pending. DHS worked closely with Lieberman's staff as it drafted the bill.
Following the Sept. 11 terrorist attacks, NRC began issuing advisories and other notices directing companies it regulates to improve the physical and cyber protection of their nuclear power plants, said Craig Erlanger, who oversees NRC's Cyber Security and Integrated Response Branch.
NRC proposed a rule for cybersecurity in 2006 and published a final rule in March 2009. It used security standards developed by the National Institute of Standards and Technology and tailored them for the nuclear industry, building on its existing regulatory role.
"It has been a long road but a necessary road," Erlanger said. NRC had to bring in contractor support. Additional federal staff helped to review cybersecurity plans and create policies to build the oversight program. Building the program took significant resources, Erlanger said.
The regulations required utilities by November 2009 to submit for review and approval cyber plans and an implementation schedule to carry out those plans, or risk losing their operating licenses.
The plans address various security standards, including the proper use of portable devices such as thumb drives that could be used to spread computer viruses, like Stuxnet, said William Gross, senior project manager for security at the Nuclear Energy Institute (NEI), which is a think tank sponsored by the nuclear technologies industry. While the nation's 104 nuclear power plants do not rely heavily on the Internet, Internet security is a concern because it is used for emergency response purposes and to communicate with offsite organizations, Gross said.
Power plants have until December to address key milestones in their implementation schedule, including identifying critical digital assets and forming, training and qualifying a cybersecurity assessment team. Their progress will then be verified by NRC during onsite inspections.
To continue operating safely, "we had to [improve our cybersecurity] even if NRC didn't mandate [it]," NEI spokesman Mitch Singer said.
NEI wants to ensure that any new cybersecurity legislation will not interfere with the work underway in the nuclear sector.
Other industries, such as the financial sector, also are keeping an eye on Congress as it considers new cybersecurity rules.
"We agree that it is necessary for the [banking] environment to have a higher level of protection in some instances," said Doug Johnson, vice president of risk management policy at the American Bankers Association. The "greatest value add" is for DHS to continue providing industry with information about current cyber threats.
The water utility sector is in great need of tighter cybersecurity rules, said Nate Kube, chief technology officer and founder of the technology company Wurldtech, a company that specializes in identifying and remediating cyber risks. Water companies have little regulation in the cyber arena and there is little market incentive for them to improve their cybersecurity on their own, he said. The Government Accountability Office in a December report found that "many medium-size or small [water] utilities struggle to maintain the staff needed just to keep their systems properly running."
DHS needs to work with other agencies, experts and industry to drive the use of independently validated security solutions for critical infrastructure systems and network operations, said Benga Erinle, president of 3eTI, which provides secure wireless products to industry and the government.
When standards are set and there are clear requirements for selling secure technology products to critical infrastructure sectors, the security level will improve, Erinle said. "Regulations can fix things, but they may not be the most efficient way to fix things."