Half of the companies that provide critical infrastructure such as utilities or communication services have experienced politically motivated cyber attacks, according to a new report from Symantec.
A survey of critical infrastructure providers found 53 percent suspected they had experienced an attack with a specific political goal in mind. The companies affected reported being attacked an average of 10 times over the past five years. Half said they expect another attack in the next year and 80 percent believe the attacks are becoming more frequent. The respondents said the majority of the attacks were somewhat to extremely effective and cost firms an average of $850,000 each.
“Critical infrastructure protection is not just a government issue. In countries where the majority of a nation’s critical infrastructure is owned by private corporations, in addition to large enterprises, there is also the presence of small and medium-sized businesses,” said Symantec chief information security officer Justin Somaini.
Somaini cited the Stuxnet virus, which has disabled physical security features at factories around the globe in recent months, as evidence that the threat to private networks is evolving. The survey also showed the energy industry is most ready for an attack, while the communications industry was least prepared.
“Security alone is not enough for critical infrastructure providers of all sizes to withstand today’s cyber attacks," Somaini said. "The Stuxnet worm that is targeting energy companies around the world represents the advanced kind of threats that require security, storage and backup solutions, along with authentication and access-control processes to be in place for true network resiliency.”
Protecting the nation's critical infrastructure from cyber attacks is an increasing priority for the Obama administration, which asserts it already has the right to act to protect private-sector networks in the event of a catastrophic cyber attack that could cost significant loss of life or financial damage under a little-used clause in the Communications Act passed in the wake of the Japanese bombing of Pearl Harbor in December 1941.
But which federal agency should possess that authority and how they should be allowed to use it is the main sticking point for comprehensive cybersecurity legislation currently under consideration by Senate Majority Leader Harry Reid (D-Nev.). The Senate Homeland Security Committee passed a bill that would limit the White House's role and place most operational authority over private-sector cybersecurity with the Department of Homeland Security.
Members of the Senate Commerce Committee would rather see the Commerce Department's National Institute for Standards and Technology take the lead role in regulating cybersecurity requirements, with a more hands-off approach from the federal government. Both sides remain deadlocked, with legislation unlikely to pass the Senate this year as a result.
Symantec's report recommends companies develop and enforce their own IT security policies with a focus on protecting information and authenticating users to limit unauthorized access. It also recommends the government continue to work with industry and detail how a response would work in the event of a national cyber emergency. Symantec is a leading provider of security software and services.