Cybersecurity rarely receives much attention in the US political arena, when it should be a top priority. After all, it’s inextricably linked to the strength of our national security so it was great to hear President Obama emphasize the importance of cybersecurity in his State of the Union address last week.
The President has signed an executive order aimed at motivating the private sector to work alongside the federal government, collaborating on the best way to share data, and develop a new framework of practices to better protect our nation’s critical infrastructure from hackers and cyberthreats.
What do we mean when we say “critical infrastructure”? Think electrical grids, banking networks, water treatment facilities, communication systems, transportation and public health systems – all of the systems and assets we need to keep our society going. If accessed by a hacker or terrorist, a threat to any of these assets would have a debilitating impact on our national security. This order aims to strengthen the defense of our critical infrastructure.
If you’re still wondering what exactly the White House has in mind for the framework, I found some clarification in a blog post from Michael Daniel, special assistant to the President and cybersecurity coordinator:
“The framework does not dictate “one-size fits all” technological solutions. Instead, it promotes a collaborative approach to encourage innovation and recognize the differing needs among critical infrastructure sectors. Organizations who want to upgrade their cybersecurity will have the flexibility to decide how best to do so using a wide range of innovative products and services available in the marketplace.”
This makes sense. In essence, the framework seeks to offer critical infrastructure providers all the tools they may require to protect themselves, while giving them freedom to implement it in a way that works best for them. Vital to every system, though, will be building strong authentication into the framework for access systems – physical and logical – so that we can be sure that those accessing buildings or networks and data have the clearance to do so.
The good news is, such technology is already available to make this happen. The same technology used today by government agencies for physical and logical access, Personal Identification Verification (PIV) credentials, is available for critical infrastructure providers in the form of the PIV-Interoperable (PIV-I) credential, and to commercial organizations in the form of the Commercial Identity Verification (CIV) credential. These credentials are standards-based, trusted, and proven to provide the highest levels of security, and certainly deserve a spot in the framework.
The National Institute of Standards and Technology (NIST) must now work with the industry on best practice and identifying areas of existing consensus. If we pay enough attention to protecting our critical infrastructure now, we can avoid a critical situation should our systems come under attack.