The result is the Securing the U.S. Electrical Grid report, and talking about critical security challenges we have Dan Mahaffee, the Director of Policy at CSPC.
How can politics influence the rise of critical infrastructure security on a national level?
Politics will certainly play a role in how our nation approaches critical infrastructure security. Many of the current bureaucratic structures for critical infrastructure security have arisen from politics. The Department of Homeland Security reports to over 100 committees and subcommittees because of politics.
One ongoing political debate is how to organize the various government agencies and entities responsible for cybersecurity—political influence and budget dollars are at stake. Given the importance of communication between government and critical infrastructure, it is important to provide some level of stability in the relationship between government and private sector operators.
Instead of reorganization, political leaders should emphasize clearer divisions of existing authority and streamlined communication within government regarding grid issues.
Additionally, cybersecurity legislation—along with most legislative business—has fallen victim to a deadlocked Congress. Even though it seems that the House and Senate have agreed on 90% of the legislation, politics has prevented the bills from going to a conference committee where the remaining 10% could be resolved. This political environment is only more difficult following the Snowden leaks, and it will require political leadership—both from elected officials and industry leaders and advocacy groups—to explain the importance of critical infrastructure protection to the American people and to seek the compromises to pass needed legislation.
Should the USA allow foreign companies to produce software/hardware for the domestic smart grid? How can these solutions be tested in order to prevent accidental or intentional failures?
In a globalized world, the issue of supply chain security is an area of significant concern. In some major countries there is a far blurrier line between government and the private sector when it comes to technology companies, and the United States needs to be aware of the security risks posed by these companies’ hardware and software. U.S. policymakers have demonstrated their leadership on this issue, but there are still concerns about how software or various components of hardware might introduce vulnerabilities to U.S. infrastructure. However, in a globalized world, we also cannot afford to succumb to the temptations of protectionism or risk retaliation against the operations of U.S. technology companies doing business overseas.
A combination of government and private sector testing processes can be implemented to test hardware and software for counterfeit components, potential backdoors, or other vulnerabilities, and these processes can be applied to both imported and domestically produced systems. Additionally this testing can avoid a one-size-fits-all approach by evaluating not only the security of the product but also the criticality of its intended destination. Obviously hardware or software that will be installed at key grid nodes, links to other critical infrastructure, or major civil or military facilities will undergo more rigorous testing than less critical sites.