Addressing Threats to Your Infrastructure [Rural Telecommunications]
(Rural Telecommunications Via Acquire Media NewsEdge) An estimated 80% to 90% of the United States telecom infrastructure is privately owned a d deemed one of our nations ritical infrastructures. That's b en the case for some time: Pr sident Clinton's EHecutive Order 13 10 stated that telecom was one~of several services "so vital that their incapacity or destruction would have debilistaing impact on the defense or economic security of the United States." Yet it seems it has taken until the last few years for critical infrastructure security to become a pressing concern to legislators.
Given that the telecommunications industry provides direct communication service to consumers, industry and government, leaving its security solely to the discretion of the private sector creates tremendous unrest for politicians and government agencies entrusted with protecting national safety.
The threat to these vital systems is generally viewed as twofold: physical threats to tangible property, and threats to the information or communication components that control them (cyber security). Much like the infrastructure it is to protect, the scope of cybersecurity is constantly evolving. Different government entities are tasked with evaluating cyber vulnerabilities. For telecommunications, that entity is the Department of Homeland Security (DHS).
For private-sector téleos, hardening business operations against physical threats, including natural disasters, is commonplace. Building contingency and disaster recovery plans to address reasonable risks underscores the commitment to providing this type of protection. For the most part, security is done without government mandates, largely because it's in the business' best interest financially.
Siren Telephone Co. (Siren, Wis.) Outside Plant Manager Kent Basset confirmed that much of the physical network fortification is self-enforced, underscored by the company's customercentric commitment to restoring service when it's compromised.
While self-initiated efforts address physical network safety, the government has stipulated protection measures for consumers. Today these measures have the added advantage of helping to secure critical infrastructure.
Todd Irish, manager at LaHarpe Telephone (LaHarpe, 111.), pointed to national service mandates that require téleos to report to the FCC any incident that affects a large percentage of customers. From Irish's viewpoint, "They [the mandates] aren't really a burden because they don't happen that often."
When incidents are reported, the data is stored in the Network Outage Reporting System. The FCC grants only the DHS direct access to this outage reporting database. It is the DHS that determines if reported threats warrant alerting state and local authorities.
The communications process between service providers and the DHS can include significant delays between the detection of a cyber attack, when the DHS determines the attack's invasiveness, and when providers are notified of corrective measures.
Then there's legislation like the 1994 Communications Assistance for Law Enforcement Act (CALE A). It states that upon presentation of a valid subpoena, common carriers, facilitiesbased broadband Internet access providers and VoIP service providers must have built-in surveillance capabilities to provide federal agencies access to monitor all telephone, broadband Internet and VoIP traffic in real-time.
Unlike some service mandates, CALEA affects the finances of rural téleos. Chuck Deisbeck, chief executive officer for Breda Telephone Corp. (Breda, Iowa), stated that to conform to the initial CALEA, "We have equipment we've had to pay for so they can have remote access to our switching and data networks."
With many rural téleos already financially stretched, using the funding precedent established by the likes of CALEA is unlikely to be a viable option if legislators deem new cybersecurity- related equipment is needed.
The Cyber Thneebe
Given our nation's reliance on software, today's politicians seem more focused on cyber risks than critical infrastructure hardware.
The White House has described cybersecurity as "one of the most serious economic and national security challenges we face as a nation." Senate Majority Leader Harry Reid is one of many that concur. "Failing to act on cybersecurity legislation not only puts our national security at risk, it also recklessly endangers members of our armed forces and missions around the world," Reid stated.
How susceptible is critical infrastructure to a cyber breach The answers depend on how you look at it. One of the most recent counts was provided in a July 2012 Bipartisan Policy Center report, which stated "that from October 201 1 through February 2012, over 50,000 cyber attacks on private and government networks were reported to DHS, including 86 attacks on critical infrastructure networks." The report also noted that "these represent only a small fraction of cyber attacks carried out in the United States."
What is particularly worrisome is the exposure the nation faces because of the role of the Internet.
For example, James Lewis, technology program director at the Center for Strategic and International Studies in Washington, stated in an interview, "If you interview power companies and say, 'Is your control system connected to the Internet ' they'll say, Of course not.' It turns out in almost every case a control system is connected to the Internet, and it's vulnerable to being hacked."
That's not a surprise to Joel Brenner, former senior counsel to the National Security Agency and counter intelligence coordinator of 17 federal agencies when he served under the director of national intelligence. In an interview he stated about the Internet, "We have taken what is fundamentally a porous and insecure system designed originally as a research tool and connected to it all of our financial infrastructure, and much of our operational and manufacturing infrastructure."
Not to be overlooked are emerging developments that are producing new technologies. A report by the Global Information Society Project stated, "Digitization and related technology are making all content - whether voice, test, audio or video - indistinguishable binary code ... that are transport medium indifferent." The report continued, "More importantly, in the long run new developments in technology - in particular ultrawide band and software-defined radio together with mesh networks - have the potential to make the entire existing infrastructure and regulatory regime obsolete."
CALEA proves Global's point. In recent months, law enforcement has spoken before Congress requesting modification to CALEA. It seems in some cases gaining intercept access hasn't been as simple or as quick as presenting a subpoena. Law enforcement also is asking that the scope of CALEA be expanded to keep pace with today's widely used technology - technology that didn't exist when CALEA was originally created.
Advocates for telecommunications providers understand the nature of these technological changes and are encouraging government to avoid imposing rigid, cybersecurity-related regulatory requirements that could require industry to focus on obsolete security requirements.
A study by Bloomberg in association with Ponemon Institute released in January 2012 is one of the first to put a price tag on cybersecurity. The report stated, "Companies including utilities, banks and phone carriers would have to spend almost nine times more on cybersecurity to prevent a digital Pearl Harbor."
In a Bloomberg press release, Lawrence Ponemon, chairman of the Ponemon Institute, commented, "The consequences of a successful attack against critical infrastructure makes these cost increases look like chump change."
Deisbeck has thought about the financial side of cybersecurity. "National law is one thing, [but] how do you help a company our size spend 20[K] to 30K Since the FCC has made changes to [the Universal Service Fund], there should be dollars in that fund to pay for the expense," he suggested. He sees the Defense budget as a viable source for funding modifications too. Another alternative is to address the issue higher upstream, at a Tier 1 level, where companies have intrusion detection.
Irish agreed that affordability is key. "They [the government] need to provide funding for something we can't afford or recover investment," he stated.
Attacks are a reality across the nation, not just in metropolitan areas. How realistic is it to believe a cyber attack will be initiated from rural America or on rural America
Many rural téleos probably share the view of general manager for Brooke Telecom Co-op Inwood, Ontario), Jim Janssens. The company serves around 1,500 customers. "We feel it [cybersecurity] is not the first and foremost problem; it's how we'd recover in a timely manner for our customers," Janssens said.
Others relate to Deisbeck's view, "We already do a good job of protecting our network, but what they have in mind might be different. We're both protecting something, but on a different level."
Addressing Threats to Your Infrasctructure
Broadband Internet access providers and VoIP service providers nlisD have build-in surveillance capabilities bo pnovidf federal agencies access.
National law is one thing (but) hooj do you a company our size spend(20K) to 30k - Chuck Deisbekc, ,CEO Breda Telephone Corp.
Anna Henry is a freelance writer. She can be reached at Headlineink @comcast. net.
(c) 2012 National Telephone Cooperative
[ Back To TMCnet.com's Homepage ]