Who should be responsible for critical infrastructure’s cybersecurity?
New research from industrial cybersecurity company Claroty found that the overwhelming majority of IT professionals believe the government should be responsibility for securing critical infrastructure.
According to Claroty’s new report, “The Global State of Industrial Cybersecurity," 87 percent of U.S. respondents said that it’s the federal government’s responsibility to ensure the security of critical infrastructure, the lowest number among the five countries polled.
“It’s possible that because critical infrastructure is so essential to the function of a nation, individuals believe that it is the sole responsibility of the government to protect these systems," Dave Weinstein, chief security officer of Claroty, told Fifth Domain. "But the reality is that this task is a partnership between the public and private sector — 85-90 percent of our critical infrastructure is owned and operated by the private sector, so they have to take primary responsibility.”
Claroty polled 1,000 IT professionals across the United States, Germany, France, Great Britain and Australia.
The government’s role in protecting critical infrastructure is a controversial issue. Most critical infrastructure is owned by the private sector, and operators are reluctant to give the government more access to their networks for cybersecurity.
But the poll comes just weeks after the release of a comprehensive cyber policy report by the Cyberspace Solarium Commission, which recommended that the federal government and private sector strengthen their relationship through a variety of different programs.
“As a matter of national security, critical infrastructure providers have a special obligation to the government, to the nation,” Tom Fanning, a solarium commissioner and the CEO of gas and electric utility Southern Company, said March 5 at a commission event.
The federal government — particularly through the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security and the National Security Agency’s Cybersecurity Directorate — is trying to improve cyberthreat intelligence sharing between critical infrastructure operators and the feds.
Weinstein said the federal government can improve its relationship with critical infrastructure providers through information sharing and vulnerability disclosure.
“There is a major need for continuous improvement of information sharing across the board as well as communicating the value from the government to the industries and sharing all information available,” Weinstein said. “Through coordinated vulnerability disclosure, the government ... must communicate with the vendors themselves, who are the people who actually manufacture the industrial control systems around the world.”
The Cyberspace Solarium Commission report recommended that the intelligence community review policies that inhibit threat information sharing with the private sector. The report also called for the creation of information sharing platforms to improve communication between industry and the feds.
“It doesn’t just fall on the federal government, and it doesn’t just fall on enterprise organizations,” Weinstein said. "This is an issue that everyone needs to take seriously.”
Photo: A new survey asked IT professionals who they think should be tasked with securing critical infrastructure. (Gerald Herbert/AP)