Adfero Group HSPI

By Michael Balboni
In an op-ed for Newsday, I examined Secretary Napolitano’s announcement of a National Strategy for Supply Chain Security, noting that it only mentioned the importance of physical security. Surprisingly, cyber threats were left completely off the table, though it is crucial to recognize that both these threats are actually inexorably intertwined.

By Doug Doan
For anyone who needed a reminder of just how botched and dysfunctional it is to build or improve a border crossing, take a look at the toxic debate over the Keystone Pipeline. Fierce politics, nasty in-fighting, delay, distortion and misdirection all become standard fare. The Presidential Permit process was supposed to bring order and discipline to building anything across the border linking the United States, Canada and Mexico. But what a mess it has become. Every new idea must navigate an increasingly complicated bureaucratic gauntlet.

Following the recent attention given to the water sector’s vulnerability to cyber intrusion, there’s been a lot of talk about what went wrong, whose fault it was and why changes need to be made in the sector. However, the challenge in addressing the water sector’s cyber security posture isn’t in outlining existing problems, but rather in generating realistic, affordable and timely solutions to mitigate them. My concern is that we may just keep talking about the problem without actually doing anything about it.

Since news broke last week about a suspected cyber attack on an Illinois water utility, media, government and industry have probed the ramifications for U.S. critical infrastructure protection (CIP). Though DHS and FBI later found no attack had occurred, the incident does highlight vulnerabilities in the way utilities are secured against cyber threats. To understand these complex issues, reporters turned to water security expert, Catalyst Partners principal and Security Debrief contributor Vance Taylor.

By Rob Strayer
It is an unfortunate modern reality that cyber attacks are commonly used to steal money from businesses and individuals. Cyber attacks that disrupt or destroy physical assets, on the other hand, have been rare up to this time. The news over the weekend that a terrorist organization was able to finance its activities by hacking AT&T business customers’ telecommunications accounts represents a new and disturbing development in the use of cyber attacks by terrorists.

As happy/relieved as I am to know that the Russians aren’t out to disrupt our water services, it is important to note that a water system in South Houston was the victim of a real cyber attack. (You’ll recall it occurred in direct response to DHS downplaying of the reported situation in Illinois).The would-be attack, and the actual one, are stark reminders that the threat of cyber attacks are real.

I have read several articles on the recent water plant cyber intrusion that damaged a pump in a small utility firm’s facility in Illinois. I am not a digital forensics analyst, but I do find the reactions very interesting. Frankly, I don’t know what the Water Plant incident really means, but at this point neither does anyone else. Can we afford to dismiss it, even if it turns out to be amateur hackers? I have said this before; the sky is not falling! However, we still need to up our vigilance and recognize that we have enormous vulnerabilities and competent adversaries.

In the wake of “National Preparedness Month,” over the weekend the first edition of the National Preparedness Goal (NPG) was released. The NPG correctly recognizes resilience as a fundamental component of national preparedness – a desired outcome. The issue, however, is not what America can do but rather what America will do. There can be little doubt that since 9/11, America is far more physically protected. However, contrary to the assertion in the NPG, and as protected infrastructure failures and nature-driven consequences continue to demonstrate, America is anything but more prepared.

Again the other day, another of our government cyber leaders delivered the usual canned speech about how we must increase our defenses – read expand budgets/personnel – to defend ourselves against an “electronic Pearl Harbor.” And so, once again, the muscles in the back of my neck begin to stiffen wondering when they are going to stop saying this and if, some day, they will arrive in the 21st century. Cyber attacks – they are not wars – are not about total destruction but death by a thousand cuts.

The world has faced tragic events of late: the Japanese earthquake and tsunami; the tragic bombing and shooting in Oslo, Norway; and post-Hurricane Irene floods along the U.S. East Coast. With these and other ever-present threats to our critical infrastructures and way of life, the National Defense Industrial Association’s (NDIA) 2011 Homeland Security Symposium is “Disasters: Preparing, Surviving and Responding to Dynamic Threats.”

In response to a recent DHS report citing concerns about the ability of insiders to cause significant damage at water utilities, Sen. Chuck Schumer is set to introduce legislation that would mandate FBI background checks for employees at drinking water and wastewater plants. While I understand Senator Schumer’s logic, Congress would be wise to hit the “pause” button before introducing new regulatory mandates so it can reexamine our current national approach to addressing water security.

An electromagnetic pulse (EMP) attack – produced by a nuclear weapon detonated at a high altitude or by a geomagnetic storm – has the potential to decimate America’s electrical and technological infrastructure. The Commission to Assess the Threat to the United States from Electromagnetic Pulse Attack found that an EMP is a threat to our society and military. Yet, despite broad consensus, Congress has yet to act in a substantive manner. For the most part, U.S. government agencies have not taken planning for their response to an EMP attack out of the theoretical stages.

Despite near-continuous pronouncements on the topic of resilience, the Administration decided not to define resilience in its latest Presidential Policy Directive/PPD-8: National Preparedness. It is precisely the difficulty of nationally defining resilience that should compel the government to do so. Deciding not to define resilience and its application to the Nation’s infrastructure condemns America to continuous validation of Einstein’s definition of insanity: “Doing the same thing over and over again while expecting a different result.”

By Michael Hendrix
Critical infrastructures are the veins and arteries carrying the lifeblood of America’s economy and society. In a recent National Chamber Foundation event, Admiral Thad Allen described critical infrastructure as especially susceptible to “Black Swans.” To minimize the unexpected risk to critical infrastructure, we need a set of best practices, a sort “Black Swan toolkit.”

There was a time when the United States’ transportation infrastructure was the envy of the world. Times are changing and U.S. infrastructure isn’t. This poses a significant threat to America’s profitability, economic recovery and international competitiveness. Recognizing this, the National Chamber Foundation – the U.S. Chamber of Commerce’s think tank – put on a program in conjunction with the Chamber’s Let’s Rebuild America initiative, “Infrastructure: What We Want, What We Need.” Here’s a breakdown.

America’s infrastructure could use a makeover. Many of the things that help this country “GO” – roads, bridges, utilities and more – are in poor shape and in many places, crumbling before our eyes. Yet, the country has seen little in the way of real change when it comes to building a stronger, more resilient America. Not enough of us are talking and thinking strategically about infrastructure investment priorities, how risk and resilience are considered, and how we are going to pay for these much-needed updates. Enter Adm. Thad Allen, former commandant of the U.S. Coast Guard.

Yesterday, the Homeland Security Advisory Council (HSAC) released the recommendations of its Community Resilience Task Force (CRTF), which argue that it is impossible to build a resilient nation upon protected yet aged, overstressed, exploitable and consequence-amplifying infrastructure foundations.

One of the more interesting parts of the rejuvenated Anarchist movement has been the adoption of Guy Fawkes as a hero. The Internet movements like Anonymous and a number of other Lulzs have been doing their level Guy Fawkes’ best to flex their muscles against the man. And so Uncle Sam, in the guise of the U.S. Government, is finding out the wild frontier of cyber space is not about to be intimidated by Washington laws or declarations. We focus on nation states. In the new frontier, all the Guy Fawkes are the same.

It’s a basic lesson any semi-decent carpenter or weekend handyman knows. If you have the right tools, you can do your job a lot easier and a whole lot better. As basic as this premise might be, it is one that we have failed to follow in terms of dealing with fire and ice in this country. With a median age of several decades and enormous wear and tear, the reliability and safety our firefighting planes is in serious question.

Black swans are another name for Secretary Rumsfeld’s famous category of “known” unknowns, things we know we don’t know – but maybe we should. The Japanese anticipated the double-shot of earthquakes and tsunamis, but not the triple whammy of earthquake-Tsunami-massive release of low-dose radiation from nuclear power plants. It is hard to believe that Washington would not screw up a nuclear incident just as badly as Toyko, particularly if the event happened in the midst of another catastrophe.