Comparing the potential effect of a cyber-disaster to the ravages of Hurricane Katrina, lawmakers called on the Department of Homeland Security and commercial infrastructure owners to explain why more progress isnt evident in preparing for a massive cyber attack.
“I never want to sit on a special committee set up to investigate why we were unprepared for a cyber attack,” said Sherwood Boehlert, R-N.Y. “We know we are vulnerable.”
Boehlert, chairman of the House Committee on Science, held a hearing Friday on vulnerability and preparedness in cyberspace. Other congressional committees have sought answers this year from DHS on why more progress hasnt been made, but the departments insufficient response to Hurricane Katrina—namely, the response by DHSs Federal Emergency Management Agency—has given the matter of cybersecurity greater urgency.
“Its inevitable that you look at it in context to Katrina,” said Rep. Bart Gordan, D-Tenn. “What if all the banks, what if all the power systems, go out of order? For the American public, it means a big bill. I dont want to be here at a hearing later on saying what went wrong. We want to get in front of this.”
Members of the committee complained that DHS has not moved with sufficient speed to secure the networks that underpin the nations critical infrastructure, including the power grid, energy sector and telecommunications networks. A review released in July by the Government Accountability Office found that the department had not yet developed vulnerability assessments or contingency plans.
“Progress in securing the cyber-infrastructure has simply been too slow,” Gordon said. “Inaction can be an enemy just as lethal as terrorism.”
Information security officers from several critical infrastructure sectors told lawmakers that the degree of vulnerability and threats remains unknown.
“We are vulnerable to an undetermined extent,” said Gerald Freese, director for enterprise information security at the American Electric Power Co., in Columbus, Ohio.
Freese and his counterparts in the energy, chemical and telecom industries said they work closely with DHS and other government agencies, but few concrete details were revealed as to how that cooperative work has made the cyber-networks safer.
“SBC maintains close ties to government agencies responsible for national security,” said Andrew Geisse, chief information officer for SBC Services Inc. “We work closely with them on a daily basis to receive and share security related information.”
The governments quest for greater data sharing from industry has provided a venue for the private sector to make a plea for more expansive ways to keep information secret. The governments Critical Infrastructure Information approach shields data that is shared with DHS from public view, but Freese told lawmakers that the electric industry remains concerned.
“Certain technical, architectural and operational aspects and details must be kept secure so they will not be inadvertently disclosed to those who would try to disrupt or destroy our social, political or economic fabric,” Freese testified.
Industry officials called on Congress to allocate more money for cyber-research and to make sure criminal penalties are enforced.
“You should make sure our laws carry serious penalties for cybersecurity issues and that the instigators are prosecuted to the full extent of the law,” Geisse said. “It is no longer just kids playing with computers.”