From: Infosecurity Magazine
Drew Amorosi
With NIST recently unveiling its ‘Preliminary Cybersecurity Framework’ for critical infrastructure, Drew Amorosi reaches into the vault before his live interview with The Chertoff Group’s Mark Weatherford during today’s Infosecurity Virtual Conference
Few people know as much about cybersecurity – or applying it on a public level – than Mark Weatherford. Currently a principal with The Chertoff Group, a broad-based security consultancy founded by the former DHS secretary, Weatherford built his resume first as a cryptology officer in the US Navy, then in the private sector, but most recently through a string of public sector roles that culminated in being appointed as the US Department of Homeland Security’s first Deputy Under Secretary for Cybersecurity.
It was late this past summer when I caught up with Weatherford, during the SINET Innovation Summit in New York City. President Obama’s recent executive order on cybersecurity for critical infrastructure was still fresh on the minds of many attendees, and was naturally on the agenda. “I had a big part in that before I left DHS”, Weatherford said of his role in developing the Administration’s executive order.
I asked him how severe is the cyber threat to critical infrastructure, and if the potential exists for loss-of-life events. “I think there could be”, he says candidly. He recalls the 2003 blackout over wide swaths of the Northeastern US and parts of Canada, and all of the services that it affected. “When you think about the organizations that provide security, safety, and healthcare services to society, that all of the sudden don’t have power…if this went on for a long period of time, it could be rather catastrophic.”
He also reflects on Hurricane Sandy, and the havoc it wreaked on the New York metro area’s inability to pump clean drinking water. Of course, he reminds me, these were not cyber-related attacks, but the breakdown of services illustrated the negative cascading effects of long-term outages that are a real possibility. There are survival issues at play here, he added, and when it comes to cyber-attacks on critical infrastructure, he surmised, “potentially it could be life threatening.”
Where the threat comes from misses the point, Weatherford claims. “That’s an intelligence issue, and I’m a security guy”, he tells me. “My job is to help companies understand what their risks are”, he says of his current role with The Chertoff Group. “It doesn’t matter to me whether it’s a terrorist, or a nation-state, or a hacktivist group; anything that can cause disruption or destruction is something – from a security perspective – that needs to be built into [organizations’] risk framework.” In his estimation, Weatherford comments, it’s not the who, but what they are able to do – it’s the actual vulnerability that’s the real concern.
When it comes to protecting critical infrastructure, Weatherford maintains overall praise for Obama’s executive order. Nevertheless, the private sector, in his opinion, maintains a level of distrust with respect to the ‘Preliminary Cybersecurity Framework’ that the order established, and was developed through NIST’s leadership. The problem, Weatherford suggests, is although the framework establishes voluntary recommendations, he asks what will happen if an organization experiences a cyber-related security incident, and has not implemented these ‘voluntary’ guidelines. There are potential legal ramifications at play here, he insists.
Leave a Reply