LAKE BUENA VISTA, Fla. -- Move over, Iron Man. The corporate information security professional is an essential...
part of the "new front lines of defense," according to Michael Assante, vice president and chief security officer of the North American Electric Reliability Corporation (NERC).
"The responsibility, now more than ever, lies with the private sector to secure assets from new 'acts of war,'" said Assante during his keynote speech at the InfoSec World 2010 security conference.
As malicious hackers look to more targeted attacks, often going after victims and valuable data outside of an office's network boundaries, the responsibility for defense, he said, is dispersed throughout the information security community, even all the way down to the home user in some cases.
The idea of shared responsibility for national cybersecurity defense differs from earlier times of war, where demonstrations of military strength were more easily defined. As a former navy intelligence officer, Assante spoke about a shift from common rules of engagement and an understanding of how an adversary would operate.
Today, however, "the rules aren't there for the national security decision makers," which presents challenges for those creating policy, Assante said. "And that challenge is translating down all the way to your very jobs," he told the audience.
The responsibility falls in the hands of infosec professionals, according to Assante, largely because of a new struggle: the blur between commercial enterprises and national security organizations.
"It's impacting us if we look at what's occurring on the legislative front; it's impacting us in terms of the risk management decisions and pressures that they're receiving from the government," he said.
Asante illustrated the convergence of military and commercial technology by flashing a telling picture: an image of a U.S. soldier using a tactical rifle hooked up to an iPhone running a precision-shooting application -- one available for $14.99.
There is similar integration, he said, between digital technology and traditional engineering disciplines, creating a culture struggle between information security professionals and traditional engineers. "They're going to rely more on you, and you're going to help them change and transform how they do business," Assante said.
A major convergence has also occurred in the automation space, specifically with the merging of control systems and safety systems. What were once physically separate mechanisms are now, from a network perspective, only functionally separate.
Utility industry changes
This trend occurs in the utility industry, Asante said. With the development of the smart grid, there has been a growing use of digital technology in the monitoring and controlling of the generation, transmission and distribution of electricity.
Currently, an electric utility's functions can be broken down into those three sectors: generation, transmission and distribution. If Assante accomplishes his goal, however, a fourth department will be added: information technology communications. "Each of those three pieces is dependent on technology."
A key development, according to Assante, is Washington's assertion that the electrical system is a strategic national asset. Claiming that the government "missed a memo in the '90s," Assante finds it encouraging that President Obama made a speech in May 2009 -- one Assante was present at -- declaring that everyone must take on a cybersecurity and national defense role. After that speech from the commander in chief: "You all now have the memo," Assante said.
Conference attendee Michael E. Mulville, cyber chief technology officer at McLean, Va.-based Science Applications International Corp. (SAIC), appreciated Assante's mentioning of a greater co-dependence between the government and the private sector.
"If you look five at years ago, the private, commercial sector was very independent and did what it wanted. The federal government was kind of out in left field in terms of how they interacted and what they did on the security end," Mulville said.
Mulville noted how important it is currently for government and private industry to interact and understand each other's processes. And energy, Mulville suggested, is only the beginning.
"There's going to be a greater dependence between the two sectors," he said. "Energy is just one of them. Health is another … where the securing of those people's private information is becoming more and more critical as more and more social network activity is happening as well."