To be a cybersecurity reporter in 2014 was a lot like playing Bill Murray’s character in the movie Groundhog Day — trapped in time, covering the same, predictable news over and over again.
The year started out well enough, with the release of the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity – a voluntary set of guidelines designed to improve cybersecurity across the country. The multiyear effort was universally applauded by industry experts and interest groups as the best way to improve cybersecurity without the need for new regulations or legislation. A year later, however, significant questions remain about the framework’s efficacy and, more importantly, the rate at which private sector critical infrastructure owners and operators are actually adopting it.
Among the most interesting developments of 2014, however, was the way in which the Federal Communications Commission issued a direct challenge to NIST and the Department of Homeland Security over the wisdom of relying upon a voluntary set of security standards. In June, FCC Chairman Tom Wheeler said cybersecurity throughout the private sector must improve significantly beyond what existing voluntary frameworks have been able to deliver, but he stopped short of calling for new government regulations to get there. In what some experts called one of the most substantive policy statements on cybersecurity in years, Wheeler said that the nation must “develop market accountability in cybersecurity that doesn’t currently exist” and that while new regulations are not the answer to improving security, the government must be ready to adopt alternative approaches if the free market fails.
This year saw the Federal Trade Commission make a concerted effort to become a major influencer in the national cybersecurity debate. FTC pursued 50 data security enforcement cases in 2014 and announced it will investigate last year’s Target data breach.
And while news of new data breaches, nation-state espionage campaigns and threats of all-out cyber war kept Groundhog Day reporters busy for most of the year, the big issue facing cybersecurity policymakers remained the state of the nation’s cybersecurity workforce. The nation remains virtually incapacitated by a shortage of highly qualified graduates with degrees in science, technology, engineering and mathematics and a large percentage of high school students who are not prepared for college-level STEM programs. And as Chris Blask, chairman of the Industrial Control System Information Sharing and Analysis Center, explained in June, the size and scope of the nation’s critical infrastructure means the STEM shortage may be larger than anybody imagined.
For example, there are more than 300,000 manufacturing plants in the U.S., 50,000 water utilities, thousands of electric utilities, 200 natural gas utilities controlling 2.4 million miles of distribution pipes, 28,000 food processing plants, 100 urban rail systems and 140,000 miles of freight rail tracks — and that’s just a small portion of the nation’s critical infrastructure. “We have to have enough people who understand these issues. Just having enough people to do the work is potentially an unsolvable problem,” Blask said.
Perhaps the most important insight of the last part of 2014 came from former Secretary of Defense Robert Gates, who unleashed a scathing assessment in October of the U.S. government’s handling of national cybersecurity policy, blaming bureaucratic turf battles and a dysfunctional Congress for the lack of progress on information sharing and critical infrastructure protection.
“The country faces a situation where the Defense Department, with Cyber Command, NSA and other related organizations, has nearly all of the assets and capability in the cyber arena but limited legal authority to deploy them at home,” Gates said at the SAP NS2 Solutions Summit in Falls Church, Virginia. “Correspondingly, the Department of Homeland Security has few assets, capabilities and experience in this area, but the statutory responsibility for protecting the U.S. domestically against cyber attacks. To fashion a brand new ACLU-approved NSA for domestic surveillance and cybersecurity is simply not plausible. There isn’t enough time, there isn’t enough money and there isn’t enough human capital.”
Big Story of 2014
By Dan Verton · Monday, Nov. 17, 2014 · 6:10 p.m.