High Quality
Open the downloaded document, and select print from the file menu (PDF reader required).
1
Critical Inrastructure Protection
In the Crossfre
Critical Inrastructure in the Age o Cyber War
A global report on the threats acing key industries
Introduction
1
The Threat is Real
2
Responding to the Threat—Resources and Preparedness
12
Countering the Threat—Security Measures
18
The “State o Nature” and the Role o Government
24
Improving Security in an Age o Cyber War
32
Acknowledgements
40
CONTENTSIn the Crossre
Authors:Stewart Baker, distinguished visiting ellow,CSIS; partner, Steptoe & JohnsonShaun Waterman, writer and researcher, CSISGeorge Ivanov, researcher, CSIS
1
In the Crossfre: Critical Inrastructure in the Age o Cyber War
Introduction and Background o the Study
In an ever more networked world, the cyber vulnerabilities o criticalinrastructure pose challenges to governments and owners and operatorsin every sector and across the globe.
With the global economy still ragile ater lastyear’s fnancial crisis, assuring the integrity andavailability o key national industries may all outo ocus as a government priority, but will remaina key determinant o strategic vulnerability.Six hundred IT and security executives rom criticalinrastructure enterprises across seven sectors in 14countries all over the world anonymously answeredan extensive series o detailed questions about theirpractices, attitudes and policies on security—theimpact o regulation, their relationship with govern-ment, specifc security measures employed on theirnetworks, and the kinds o attacks they ace.Critical inrastructure owners and operatorsreport that their IT networks are under repeatedcyberattack, oten by high-level adversaries. Theimpact o such attacks is oten severe, and theircost is high and borne widely.Although executives generally report satisac-tion with the resources they have or security,recession-driven cuts have been widespread andsometimes deep. And there is concern about howwell-prepared critical inrastructure is to deal withlarge-scale attacks.By gathering details on the actual security measuresthat organizations adopted, we were able to makean objective comparison o security in dierent criti-cal inrastructure sectors, and in dierent nations.The executives with responsibility or operational orindustrial control systems were also asked a serieso special questions about the security measuresemployed on those systems.Executives in China reported by ar the highestrates o adoption o security measures includingencryption and strong user authentication. Amongsectors, water/sewage executives reported thelowest rate o adoption o security measures.Broken down by sector and by nation, the surveydata reveals signifcant variations in attitudes to andreports about regulation and other governmentactivity. Executives in India reported the highestlevels o regulation, closely ollowed by China andGermany. Executives in the United States reportedthe lowest levels. Views about the impact andeectiveness o regulation varied widely, but overallmost agreed that they improve security.A majority o executives believed that oreigngovernments were already involved in networkattacks against their country’s critical inrastructure.The United States and China were seen as themost worrisome potential cyber aggressors, butattribution challenges in cyberspace give all attackers“plausible deniability.”
Methodology
The survey data gathered or this report paints orthe frst time a detailed picture o the way thosecharged with the deense o critical IT networks areresponding to cyberattacks, attempting to securetheir systems and working with governments.A team rom the Technology and Public Policy Pro-gram o the Center or Strategic and InternationalStudies in Washington, DC analyzed the data,supplemented it with additional research andinterviews, and wrote this report.The respondents are executives who have IT, secu-rity or operational control systems responsibilitieswith their organization. About hal said they hadresponsibility or such unctions at a business unitlevel, with a quarter reporting their responsibilitieswere at the global level.The survey was not designed to be a statisticallyvalid opinion poll with sampling and error margins.It is rather a rough measure o executive opinion,a snapshot o the views o a signifcant group odecision-makers.
1
The CSIS team used interviews to provide context,background and verifcation or the survey data—adding detail to the picture o regulatory environ-ments and threat/vulnerability levels across all sevensectors in each country, and discussing best prac-tices. Many interviewees declined to be quoted byname, some declined to be named or quoted at all.All those who agreed to be identifed are thankedin the acknowledgements.
Add a Comment