Cybersecurity – Critical Computer Infrastructure Should Extend Beyond Cyberspace
Cybersecurity Commentary by Security Management Expert Ed Levy, Firestorm Expert Council Member
Edward M. Levy is a senior security executive with nearly 30-years in the corporate and government sectors. Mr. Levy was the VP & Global Head of Security for Thomson Reuters. He served in other corporate security positions with Pfizer, CIT Group, and the Empire State Building. Mr. Levy is also a retired Lieutenant Colonel from the US Army and former Assistant Professor at the United States Military Academy at West Point.
Critical Computer Infrastructure Should Extend Beyond Cyberspace
Recently, in an article in Homeland Security News Wire, it was detailed that the current Administration announced it is “exploring whether to issue an executive order to protect the U.S. critical computer infrastructure from cyber attacks.”
As stated in the article:
“White House sources say an executive order is being considered after a 2 August procedural vote in the Senate that all but
doomed a cyber-security bill endorsed by Obama as well as current and former national security officials from both Republican and Democratic administrations
President Barack Obama is exploring whether to issue an executive order to protect the U.S. critical computer infrastructure from cyber attacks; White House sources say an executive order is being considered after a 2 August procedural vote in the Senate that all but doomed a cyber-security bill endorsed by Obama as well as current and former national security officials from both Republican and Democratic administrations.”
The Administration details that “Our Nation’s cybersecurity strategy is twofold: (1) improve our resilience to cyber incidents and (2) reduce the cyber threat.”
While I see this as a great initiative on infrastructure protection legislation for the private sector, I believe that language surrounding the “critical computer infrastructure” should extend beyond the cyber-space.
Threats to companies and the DHS designated critical infrastructure sectors are quite credible, determined, and persistent, especially when it comes to attacks and protection requirements for intellectual capital and key resources. A discussion point is that “the threat” extends beyond a faceless cyber-attack which transverses networks to penetrate, disrupt, disable, vandalize, or loot companies externally, but an equating threat that originates as permissible, to gain access and resonate internally to companies.
I am a believer in regulation for security. As a profession that is indiscriminately still looked upon as a cost center and financial burden for doing business and delivering services, regulation and legislation help reinforce the case of security under an enterprise risk management construct.
The issue with this piece of legislation is that it is only a partial view of infrastructure protection; it does not fully encompass the full threat profile of how intellectual and capital losses are truly accessed from networks and computers, or easily available for the taking through the physical space.
Losses seem to amount by the processes (or lack thereof), where companies actually invite and accept nefarious activity into the logical infrastructure through physical means resulting from:
- inadequate background checks
- open access to contractors and vendors
- antiquated visitor controls
- poor employee and contractor on-boarding and termination procedures
- non-existent document controls
- narrow due diligence processes during mergers and acquisitions
- lack of meaningful training and awareness
An executive order or legislation for infrastructure protection is excellent, but needs to be complete. There are several domains of security that require specific levels of expertise for a process management approach, associated for infrastructure protection – cyber is only one domain.
Ultimately, security should be converged under a single unifying framework for governance and operations to manage the full spectrum of security risks and protective strategies to reduce exposure.
So again, great initiative, but the question begs, why the cyber-threat only – why not a complete baseline policy to truly outline infrastructure protection measures companies should comply with to protect financial, reputational, fiduciary, and operational well-being?
Join Ed Levy and Firestorm on Wednesday, August 22 at 2-3PM EDT for Threat Management: Navigating the Obvious
Ed will address “Do you really know what’s walking out of your door?”
According to results of ID management provider Cyber-Ark’s sixth annual global “Trust, Security and Passwords Survey,” just under half of 820 respondents admitted if they were fired tomorrow, they’d walk out with proprietary data such as privileged password lists, company databases, R&D plans and financial reports — even though they know they are not entitled to it.
The report reveals that “while insiders continue to be perceived as the biggest risk organizations face in securing against data breaches, a majority of respondents agree that all recent security breaches – internal and external – involved the exploitation of privileged accounts. The continued exploitation of these accounts in some of the industry’s most notorious data breaches is a significant factor in the growing recognition of the “privileged connection.” Businesses need to continue to be vigilant in securing and managing these high value targets.”
Join Ed Levy – a Firestorm Expert Council Member and senior security executive – to discuss strategies for minimizing risk due to data and intellectual capital losses.