Educate Lawmakers on Securing the Critical Infrastructure

I drafted the retrospective column “Securing the Critical Infrastructure—Two Lost Decades” before the “breaking news” column “Oh, BTW, The Russians Cyberattacked the U.S. Critical Infrastructure,” which was posted on April 24, 2018. The former was in response to the US-CERT alerts resulting from actual cyberattacks. The latter was about the time lost from when the initial presidential decision directive to protect the U.S. critical infrastructure was issued. Twenty crucial years have been wasted, in my opinion, and it does not appear that we are taking the necessary actions even today in the face of known current attacks and pending threats.

Further, I happened upon an April 24, 2018 Hearing of the Senate Committee on Homeland Security and Governmental Affairs with the title “Mitigating America’s Cybersecurity Risk.” The panelists were Jeanette Manfra (DHS), Gregory Wilshusen (GAO) and Hon. Eric Rosenbach (DoD). You can find their testimonies at  All three are accomplished professionals who presented reasoned testimonies. The only problem is that similar same testimonies were presented more than 16 years ago. I should know because I testified back in November 2001 in a statement before the House Subcommittee on Commerce, Trade and Consumer Protection on the subject “Cyber Security: Private-Sector Efforts Addressing Cyber Threats.”

Nevertheless, we have been notified that a hostile nation state, Russia, is already attacking the systems of the November 2018 elections directly, or indirectly via social media … and we are not doing much about it. That’s not entirely surprising since a large segment (almost half of voters) of the U.S. population, who voted in November 2016, was happy with the results, which were certainly influenced by proven Russian “meddling,” or, more accurately, cyber warfare attacks

Had there been a kinetic attack, such as a bombing, there would have been a swift and deadly counterattack, but there have been few, if any, direct responses (at least any made public) to known cyberattacks, even though their consequences have been enormous. Why is this? Perhaps one explanation is that the results of a logical attack is not as dramatic as the impact of a kinetic attack. There are no buildings destroyed, people displaced, fires raging, etc. from a cyberattack. In fact, we see quite the opposite when electricity power grids are immobilized, as happened to the Ukraine in December 2015 which was launched from Russian Federation IP addresses. No explosions, just silence.

It is time to educate lawmakers about cybersecurity. What it is, how it works, and how to prevent and protect against cyberattacks. Perhaps a 100-hour course should be required for all. No more glazed over expressions during Congressional hearings. No more dumb questions about how the Internet works. What a relief that would be!

Post a Comment

Your email is never published nor shared. Required fields are marked *