Obama's executive order allows key players to 'argue hypothetical risk away'

Editor’s Note: The following report is excerpted from Joseph Farah’s G2 Bulletin, the premium online newsletter published by the founder of WND. Subscriptions are $99 a year or, for monthly trials, just $9.95 per month for credit card users, and provide instant access for the complete reports.

WASHINGTON – Alarms are being sounded over President Barack Obama’s recent executive order that puts an emphasis on establishing a framework for risk management on cyber security and relies on voluntary participation of the private sector that owns and operates a majority of critical U.S. infrastructures, according to report from Joseph Farah’s G2 Bulletin.

National security sources say a similar concern applies to protecting the highly vulnerable national electrical grid system, and those critical U.S. infrastructures that depend on the grid to function properly, from either a natural or man-made electromagnetic pulse, or EMP, event.

Without totally hardening the electrical grid system, including systems controlled by private utilities, sources say an EMP event, especially over a wide geographical area of the country, would permanently alter life as we know it.

These sources add that if effective measures were taken to guard against an EMP, that would be sufficient to ensure cyber security.

The problem, both for cyber security and protection against an EMP event, stems from risk management, which is a “business logic ultimately (that) gives the private sector every reason to argue the always hypothetical risk away, rather than solving the factual problem of insanely vulnerable cyber systems that control the nation’s most critical installations,” according to a recent Brookings Institution study.

The study, titled “Bound to Fail: Why Cyber Security Risk Cannot Simply Be ‘Managed’ Away,” said the recent presidential executive order that referred to the need for increased protection of the nation’s cyber infrastructure was an acknowledgement that the Pentagon’s capabilities under its new Cyber Command “are not sufficient to protect the nation’s most critical systems.”

“Unfortunately, this new order is set up to fail,” the report said. “By promoting voluntary action by the private sector, supported by information sharing on cyber threats and risk-based standards, the executive order doesn’t deliver on a fresh approach.”

“As it stands,” the report said, “critical infrastructure protection is an area where private companies are expected to assume much more responsibility – and even pay the cost – for national security,” it said. “While it is comfortable to think that the private sector would be willing and able to solve the problem, either on their own or with the help of the government, so-called public-private partnerships, experience has shown otherwise.”

Critical infrastructures and their functioning are through computer-based SCADA, or supervisory control and data systems. Their vulnerability to a cyber attack is exactly the same in an EMP event.

The study pointed out that U.S. government efforts to test national SCADA revealed bulk design vulnerabilities in the control system products used to control the nation’s most critical installations.

While these vulnerabilities were passed to the vendors in question, they “mostly went unaddressed,” the study said.

In determining whether “risk” can be managed, the report said the “sober reality” of cyber security of critical infrastructure reveals that there is “no empirical evidence that a risk-based approach, despite its near decade of practice, has had any success.”

Keep in touch with the most important breaking news stories about critical developments around the globe with Joseph Farah’s G2 Bulletin, the premium, online intelligence news source edited and published by the founder of WND.

For the complete report and full immediate access to Joseph Farah’s G2 Bulletin, subscribe now.

http://www.wnd.com/2013/10/why-volunteers-wont-fix-cyber-security-issues/print/