Cyberprotection takes center stage
IT execs push to guard virtual assets
A year ago, an IT critical infrastructure list circulating in Washington included the headquarters of Intel Corp. and Microsoft Corp. Today, the list is more likely to include virtual assets such as networks that carry data to and from major power plants, government offices and Wall Street.
As key computer industry leaders see it, the National Infrastructure Protection Plan for the nation's critical assets should cover virtual and logical IT resources as well as physical ones. IT is likely to be the nation's only economic sector defined primarily by intangible assets.
"The logical assets are ever more important," said Michael Aisenberg, director of government relations for VeriSign Inc., "while the physical assets are redundant."
"It is very difficult to define critical assets in cyberspace," added Paul Kurtz, executive director of the Cyber Security Industry Alliance, a cybersecurity advocacy group led by IT chief executives.
Kurtz and Aisenberg, along with other IT and cybersecurity executives, have been meeting regularly as the IT Sector Coordinating Council under guidance issued in the draft national plan in November 2005. Their goal is to work with the Homeland Security Department's National Cyber Security Division to formulate a critical infrastructure protection plan for the IT sector.
Each of the 17 economic sectors are to complete plans within six months after the national plan's final draft is released, which is anticipated shortly. The sectors outlined in the national plan include IT, energy, financial services, health care, defense, telecommunications, food and water.
For most sectors, infrastructure consists of plants, pipelines, factories, roads, bridges, buildings and other physical facilities. The National Asset Database that DHS maintains reportedly includes such physical structures as chemical factories, gas pipelines, major highways and national monuments.
But for IT, assets are being defined in cyberspace. Several approaches are being developed, including viewing IT as an asset primarily as it supports other sectors, and evaluating how the IT sector, including the Internet, can withstand a cyberincident of national significance.
But questions remain as to how critical IT asset protection differs from cybersecurity protection. Other questions include how IT assets should be defined relative to telecommunications assets, and who should pay for protecting critical IT assets.
"We're defining [IT critical assets] by critical functionality," said Kurtz, co-chair of the Sector Coordinating Council's subcommittee that is developing the sector-specific plan. "We're asking: What is the top-level functionality that needs to be there? What needs to be there reliably 99.9 percent of the time?"
"We're looking at how IT supports the other sectors and where the dependencies lie," said Guy Copeland, vice president of information infrastructure advisory programs for Computer Sciences Corp. and chairman of the IT Sector Coordinating Council.
The final list of IT assets is likely to have some physical assets on it, said Aisenberg, vice chairman of the IT sector council. Such assets might include critical routers and servers, cables carried by bridges and tunnels, and MAE-East and MAE-West, which are Internet traffic exchange sites in Washington and California, respectively. But those Internet exchange centers also may be claimed by the telecom sector, Aisenberg said.
The importance of physical IT assets has diminished in the last five years, as operators recognized vulnerabilities of critical routers, servers and cables and more broadly distributed those assets, Aisenberg said. As a result, if there were an attack on an IT facility holding numerous routers, for example, many of their functions could be rerouted to preserve operations, he said.
"If there is a critical IT asset that is attacked, the chance of the [Internet] being affected is much less than it was five years ago," Aisenberg said.
The determination of what constitutes a critical IT asset is affected by several other trends, such as the ongoing convergence of the IT and telecom industries, said Peter Allor, director of operations for the IT Infrastructure Sector Analysis Center. IT vendors in 2001 created the center as a forum to share information on cyberthreats.
The two industries have been intertwined for decades, with telecom providing the backbone systems that enable transfer of data among businesses, government agencies and residences.
As telephone companies become more like IT companies and voice over IP becomes ubiquitous, the need to define separate lists of critical infrastructure may diminish, said Allor, who also is intelligence director of IT security provider Internet Security Systems Inc. of Atlanta.
In addition, he said, there is movement toward grouping IT, telecom and electric power as the "millisecond sector" because the triad is so closely interrelated and all operate on similar timing.
"The complicating factor is that the telecom industry is regulated, and the IT industry is not," Allor said. "Right now, they are developing separate but parallel plans, but there will be some convergence in the next five to 10 years. There are technology and political issues, and competitive and leadership issues to work through."
Allor declined to define those issues, but other industry executives have voiced concerns about the determination of who is responsible for what part of the response when a major cyberincident occurs; which IT functions would be restored first after an incident and who would make those decisions; how government and the private sector will coordinate any response; and how much government funding will be available to protect private assets.
President Bush proposed $600 million for critical infrastructure protection grants in the fiscal 2006 budget; however, Congress approved only $50 million in such grants to cover all sectors.
Staff Writer Alice Lipowicz can be reached at firstname.lastname@example.org.