What a Difference a Year Makes: Changing Attitudes and Participation in Government Critical Infrastructure Protection Programs
Sometimes a little paranoia can be a good thing. Especially if a little worry helps motivate critical infrastructure providers to implement safeguards to protect their information and systems from potentially devastating cyberattacks. However, as the results of Symantec’s Global Critical Infrastructure Protection (CIP) Survey indicate, critical infrastructure providers are less engaged with their government’s CIP programs, less worried about the threats and less ready than 12 months ago.
Government-sponsored CIP Participation Low, Ambivalence High
Although we can take heart that the instances of cyberattacks have decreased, the general awareness and participation of government-sponsored CIP programs experienced a noticeable decline. For example, 36 percent of companies were generally less aware of their government’s CIP programs (compared to 55 percent last year) and only 37 percent of companies proved to be engaged in CIP programs (compared to 56 percent last year).
Perhaps not surprising when considering the decline in awareness and participation, but feelings of ambivalence have spiked as well. For example, when asked to voice their opinion about government-sponsored CIP programs, more chose ‘neutral’ or ‘no opinion’. Plus, they are now slightly less willing to cooperate with government CIP programs than they were one year ago (57 percent versus 66 percent).
Fewer Threats Spurs Complacency
One of the clear messages from the survey is the perceived decline in threats organizations are experiencing. Overall, 37 percent reported being attacked in at least one manner, versus more than half the respondents last year.
In light of recent Stuxnet-like attacks such as Nitro and Duqu – i.e., targeted attacks that have, in part, focused specifically on critical infrastructure networks -- the perceived decrease in threats can instill a false sense of security that a company is immune to serious threats. Although companies should be encouraged that their efforts to protect critical infrastructures are working, organizations need to proactively enforce policies to ensure resiliency against critical infrastructure cyberattacks.
So What Now?
Based on the survey’s results, companies need to adopt a more aggressive approach to protecting critical infrastructures against cyberattacks. As outlined in the report, this can be accomplished in a number of different ways, including the following:
- Develop and enforce IT policies and automate compliance processes
- Protect information proactively by taking an information-centric approach to protect both information and interactions.
- Manage systems by implementing secure operating environments,
- Protect the infrastructure by securing endpoints, messaging and Web environments.
- Ensure 24x7 availability.
- Develop an information management strategy that includes an information retention plan and policies.
Clearly enterprise organizations are not alone in this battle and the government needs to more actively promote critical infrastructure protection with the following methods:
- Continue to put forth the resources to establish critical infrastructure programs
- Partner with industry associations and private enterprise groups to disseminate information to raise awareness of CIP organizations and plans
- Emphasize that security is not enough to stay resilient in the face of today’s cyberattacks
- Educate critical infrastructure providers and enterprisesthat their information must be stored, backed up, organized, prioritized and that proper identity and access control processes are in place.
From energy systems that power our neighborhoods, to transportation networks that move us around our communities and the country, to facilities that provide our families with safe drinking water, critical infrastructure impacts nearly every aspect of our daily lives. By establishing more robust policies and procedures to protect against critical infrastructure cyberattacks and regular engagement between industry and the government, threats can more readily be identified and eliminated.
The report in its entirety can be found at the following link: 2011 Critical Infrastructure Protection (CIP) Survey Report (PDF).