Editor's Note: Ms. Hathaway has not been named to a permanent post. Placed in charge by the Obama administration of a 60-day review of the federal government's cyber security initiatives on Feb. 9, her official title for the review period is Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils.
Thats good news for the country, because strong cyber security is impossible if the federal government tries to go it alone. About 85% of our Nations most vital infrastructure, from nuclear power plants to chemical plants, is in private hands. With the control systems that run these heavy industrial facilities increasingly connected to business networks and the Internet, they have become ever more vulnerable to cyber-attack. In many cases, the corporate IT department may not even know how or where the control system or SCADA (supervisory control and data acquisition) network is connected to the business network; these infrastructures are often managed by different groups.
Further, the simple issue of the proliferation of IP-enabled devices can negatively impact network security with IP phones and hand-held devices presenting exponential potential for unmanaged connectivity both into and out of the corporate network; and subsequently the control system itself. Beyond control systems, the interconnected nature of private and governmental networks means that a threat to one potentially affects the other.
Melissa Hathaway said as much in an op-ed she wrote in October of last year for the McClatchy-Tribute News Service:
The same devices that thieves use to sneak into bank accounts, the same techniques that hackers use to disrupt Internet service or alter a digital profile, are being used by foreign military and spy services to besiege information systems that are vital to our nation's defense. Because defense and other national security contractors share data and systems with their government partners, an attack on one can be an attack on many. Plans are only as secure as the weakest link in the information chain.
Indeed, the cyber security policy outline that the Obama administration posted to the Whitehouse.gov site last month includes initiatives to work with the private sector to establish tough new standards for cyber security, protect trade secrets and research and to hit back at cyber criminals. Clearly, the Obama administration plans to put a lot of effort into working with the private sector on IT security. So, what does it mean for everyday, private sector CIOs?
Hathaway and You
Just as Sarbanes-Oxley was a response to mismanagement at the CFO level, this cyber initiative will likely address a lack of management at the CIO level in the form of additional regulations and legislation. Right now, in fact, the Obama administration already has some of the legislative foundation it needs around privacy and SCADA security to toughen regulations. Still, CIOs should expect that additional legislation will be enacted to give it even more teeth.
Ultimately, it means that CIOs will be held responsible for their networks, which means they need to understand what assets are on their network, how their network connects to other networks and how these assets are secured.
The future, however, does not only hold a stick for CIOs. Theres a carrot in the form of avoiding costly data breaches and serious cyber crime incidents.