US Critical Infrastructure Protection Update

US Critical Infrastructure Protection Update

The lack of robust security in the IT components of critical infrastructure remains a potent political topic in the United States. Comprehensive federal legislation has been expected for several years to address the issue, but none has yet made it to the President’s desk. As a result, the administration took the initiative in early February 2013 and issued an executive order and Presidential Policy Directive (PPD-21) to address some aspects of the problem. Most industry observers, including the White House, believe more needs to done, and that Congress must also act.

Three of the most important requirements for improving critical infrastructure protection are:

The need for improved, bi-directional data sharing between government and the private sector
Agreement on the level (if any) that government should mandate security best practices for private sector assets
Rules for proactive defense of private sector assets by the U.S. DoD and intelligence agencies.

The recent executive actions focus mainly on the first two of these requirements, although NSS would argue that the sharing of classified government threat data with the private sector (referenced in point 1) is an example of leveraging national security assets for the protection of private sector assets (referenced in point 3.) The Obama administration currently allows classified threat data to be shared with companies in the defense industrial base (DIB) sector and the electric/power industry. This program will be expanded to allow information sharing with any entity that is deemed a critical infrastructure provider. This action is also an example of the more general desire to improve better bi-directional data sharing between the government and private sector.

As with all NSS Labs group tests, there was no fee for participation. All testing was conducted independently and was not paid for by any vendor.