Last modified: Thursday, April 9, 2009
IU law professor: Power breach troubling, not unexpected
FOR IMMEDIATE RELEASE
April 9, 2009
BLOOMINGTON, Ind. -- Recent reports that foreign spies have hacked into the U.S. electrical power grid come as no surprise, according to an Indiana University Maurer School of Law cybersecurity expert. Media outlets reported this week that the Chinese and Russian hackers installed software that could have caused significant damage to America's power or water supply systems if activated.
Fred H. Cate, director of the Center for Applied Cybersecurity Research and distinguished professor at the Maurer School of Law, said foreign entities have been attempting to tap into such networks for years, and succeeded on multiple occasions.
"The most surprising aspect of recent disclosures about cyberspies having penetrated the U.S. electrical grid is how much the disclosure seems to have surprised policymakers and the press," Cate said. "We have known for years both that foreign governments were attacking the U.S. cyberinfrastructure and that those attacks extended to power and other utilities."
The revelations about the most recent attacks on the U.S. electrical grid merely highlight two well-known facts, Cate said. First, most of America's most critical infrastructure is controlled by the private sector, not the federal government, and second, that infrastructure is vulnerable to attacks by cybercriminals and cyberterrorists.
"As a result, enhancing the quality of information security in the private sector is critical to protect valuable data and communications systems in their own right and to secure private-sector systems that control other elements of critical infrastructure -- such as the wireless switches that route trains and control pipeline flows," Cate said. "Moving critical systems to the Internet-enhanced convenience and saved money, but it also exposes them to cyberattacks from around the globe."
Cate recently submitted comments to the White House team conducting a 60-day cybersecurity review. He outlined the following key steps the government needs to pursue to help protect public- and private-sector networks from attack:
- Create better incentives, including adopting regulations, to encourage companies to take the obvious steps to protect data and information systems.
- Modernize privacy law so that individual privacy isn't eviscerated, as well as public support, in the quest for stronger security.
- Prioritize threats, responses, and resources, so we do a better job at anticipating, not merely responding to, cyber threats and vulnerabilities.
- Establish a clearly defined lead civilian authority responsible for information security.
- Invest in cybersecurity research and deployment "like we mean it."
Fred H. Cate is the C. Ben Dutton Professor of Law at the IU Maurer School of Law. IU is considered a leader in information assurance. The National Security Agency has designated the university as both a National Center of Academic Excellence in Information Assurance Education and a National Center of Academic Excellence in Information Assurance Research.