With the recent heat waves and storms that have impacted millions of people throughout the United States, much is being written about the nation’s inability to prevent and recover quickly from destructive events. I am not yet ready to start placing blame – there are lots of things I should have done to be prepared. Individual responsibility leads to community preparedness. Here are some thoughts the disruptions bring to mind.
A week ago, with a heat wave bearing down on the eastern United States, heavy storms left millions of homes without power, mine being one of them. Homeland security has morphed from being just about protecting the homeland from madmen to something more like civil defense, which includes protecting critical infrastructure. While we seem to be doing OK against the most egregious threats, our vulnerability to infrastructure disruption remains a problem. We need no more excuses about how bad the thunderstorms were; we have a problem that makes us vulnerable.
Once again, America is officially under attack. According to multiple reports, including an “incident response” report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), U.S. natural gas pipeline companies are at the center of a major cyber attack campaign. While I’m certain that some in Congress will use this latest cyber attack campaign as fodder to further their cyber security legislation, I do not believe we can legislate our way out of this problem.
It is always difficult to fully absorb the lessons from wide-scale crises in the wake of the catastrophe. Information is often incomplete or contradictory, or still evolving. Learning these lessons, however, provides an opportunity to address the shortfalls of catastrophic disaster response.
The EPA was set to disregard the counsel of the Department of Justice, water system owners/operators and security experts by posting the non-Off-site Consequence Analysis (non-OCA) sections of the water sector’s RMPs this summer. Amid industry outcry, the EPA changed course and decided to postpone re-establishing public Internet access for certain highly security sensitive categories of information collected by its Risk Management Plan (RMP) Program. Irwin Fletcher said, “It takes a big man to admit when he’s wrong. I am NOT a big man.” Such is the case with the EPA.
Ten years from now, global water shortages are likely to threaten U.S. security interests. Ask the Director of National Intelligence, the Defense Intelligence Agency or someone from the Central Intelligence Agency; better yet, read the most recent National Intelligence Estimate. According to a senior U.S. intelligence official who briefed reporters on this issue (on condition of anonymity), there is an increasing likelihood that water will be “potentially used as a weapon, where one state denies access to another.”
Major disasters are relatively rare in Cyprus. Other than a magnitude 6.8 earthquake in 1996 that did not result in any casualties (but was the largest since 1953), annual wildfires and droughts, the island nation has generally avoided the brunt of manmade or natural disasters. But alas, tranquillity breeds complacency. In 2011, 98 containers of improperly stored explosives exploded in Cyprus with devastating impacts on human life, infrastructure and the Cypriot economy. Now is the time for Cyprus to address the hazards it faces.
There comes a time when sharing too much information is a dangerous thing, and this is what the Environmental Protection Agency is about to do. In June, the EPA plans to establish Internet access for the public to view the non-Off-site Consequence Analysis (non-OCA) sections of the water sector’s Risk Management Plans (RMPs). The announcement from the Office of Emergency Management cites burdens associated with Freedom of Information Act requests and a need from the FBI and others for greater access to non-OCA data. Here are my two biggest problems with what EPA plans to do.
The two distinctly different Senate Cyber-Security bills currently making their way through the US Congress respond to the ever-increasing cyber assaults on the US, and particularly the CIKR sectors. It is clear that action must be taken to further harden our IT systems from these asymmetrical and often successful attacks. But remember cyber-security is a balancing act based on the risk tolerance of corporations and agencies. We have enough regulations already in place. What we need is more information sharing on a two-way street.
Today’s reality is the Internet is the repository of a huge and growing amount of code (including malware) whose origin and ultimate purpose are unknown. Yet, well-intentioned, repeated government calls for action have not and will not fix a problem enabled by globally deployed technologies. There has been (and continues to be) a great deal of rhetoric and staff activity on the subject, rhetoric is not results and activity is not accomplishment. The current approach to ensuring the operation of America’s critical infrastructures can only be characterized as lessons-observed because we have failed to change our behavior.