While cyber-attacks against U.S. computer networks are becoming more frequent and increasingly more sophisticated, the country is lagging in its efforts to beef up IT security, government officials testified in front of Congress.
The Energy and Commerce Subcommittee on Oversight held hearings on cyber-security and securing the nation's critical infrastructure on July 26. The hearings examined the government's efforts to safeguard private-sector networks that are considered part of the country's critical infrastructure, such as the electric grid and nuclear power plants, against cyber-threats.
Witnesses included Gregory Wilshusen, the director of information security issues at the Government Accountability Office; Sean McGurk, director of the National Cyber-security and Communications Integration Center at the Department of Homeland Security's cyber-division; and Bobbie Stempfley, acting assistant secretary of the DHS Office of Cyber Security and Communications.
In his testimony Stempfley denied that the increase in the number of attacks means that the security of U.S. government and private networks is weaker than it was a few years ago. "I wouldn't say we're more vulnerable than five years ago, but we are much more aware," Stempfley told lawmakers.
However, as more industries move toward electronic information systems, such as utilities relying on smart meters, they are exposing themselves to cyber-attacks, according to Stempfley.
As attackers target a wider range of industries, victims are becoming willing to report the incidents, McGurk said, which means the government can collaborate more effectively with the private sector to collect information about threats and to mitigate them.
Under the White House cyber-security proposal released in May, the Department of Homeland Security would take the lead role in protecting non-military networks such as power grids and transportation networks. Rep. Cliff Stearns, R-Fla., subcommittee chairman, said he will hold additional hearings to examine how individual sectors are protected.
"We must identify and protect the very systems that make our country run: energy, water, health care, manufacturing and communications," Stearns said in his opening statement.
The United States has lagged behind on implementing necessary protections, GAO's Wilshusen told lawmakers, noting that the administration has implemented only two of 24 recommendations from the president's cyber-space policy review. Progress has slow because federal agencies don't have cyber-security officials with clearly defined roles and responsibilities, Wilshusen said. The DHS needs to improve its analysis and warning capabilities to be able to respond to threats, he said.
Another example is ensuring critical industrial systems can fend off Stuxnet. There are approximately 300 companies using the Siemens systems that the Stuxnet worm could compromise, according to McGurk, who wasn't sure if they had implemented the recommended security precautions to guard against Stuxnet.
The DHS is concerned that other attackers can use "increasingly public information" about the worm to launch variants that would target other industrial control systems, Stempfley said, noting that various iterations of decompiled Stuxnet code are available online. Stuxnet took advantage of several zero-day vulnerabilities to compromise Siemens programmable logic controllers and to cause significant damage to Iran's nuclear enrichment program in 2010. There are reports that Iran is still trying to eradicate the infection.
"The threats to information systems are evolving and growing, and systems supporting our nation's critical infrastructure are not sufficiently protected to consistently thwart the threats," Wilshusen said.
As cyber-threats become more frequent and sophisticated, the House subcommittee should "play an important role" in any cyber-security legislation that moves through the House of Representatives, Fred Upton, R-Mich., full committee chairman, said in his opening statement. There are several cyber-security proposals circulating in the House and Senate, and some kind of cyber-security legislation focusing on threats to industry is expected later this year.
Stempfley also told the House subcommittee that the resignation of Randy Vickers as the director of the DHS' Computer Emergency Readiness Team on July 22 was a "personal decision."