Information-sharing partnerships that helped the federal government and the private sector combat cyber attacks such as the "Code Red" and "Nimda" viruses have served as a valuable model for protecting other critical infrastructures from potential terrorist attacks, a top cyber-security official said Tuesday.
"Prior to [Sept. 11, 2001], we really focused in on cyber threats," Ronald Dick, director of the FBI's National Infrastructure Protection Center (NIPC), said during the first annual conference of the Infrastructure Security Partnership.
Dick noted that when the Code Red virus spread rapidly across the Internet in 2000, the FBI, the CIA, the National Security Agency and the Secret Service worked with software giants such as Microsoft and Cisco Systems to identify system vulnerabilities and determine ways to mitigate the threat.
"Code Red was a great example of how we were able to bring together all of those resources, make public statements about what the vulnerability was ... and get a message out as to what to do," Dick said. "Because of those actions, the impact of Code Red and Nimda were greatly reduced."
Dick said the lessons learned from those partnerships have helped NIPC prevent tech-savvy terrorists from disrupting critical physical infrastructures, such as the electrical power grid, the water supply and the telecommunications system.
"What changed after Sept. 11 was that instead of having the demand be one of cyber information, the private sector began to demand physical-threat information," Dick said. "So because of what we had done in the cyber environment-basically, building a portal to the private sector-there was a great need and desire for us to harvest physical threat information ... and push it out through those same information-sharing mechanisms."
But Dick said the public and private sectors still face "huge" challenges breaking down institutional barriers. Agencies such as the FBI and CIA, for example, worry that alerting industry to potential terrorist threats could compromise valuable intelligence sources. And private companies worry that sharing proprietary information with the government-and other companies-could lead to economic harm and falling stock prices.
Many companies also fear that notifying the government of infrastructure vulnerabilities could lead to lawsuits if that information is made public under the Freedom of Information Act (FOIA). House and Senate bills that would create a Homeland Security Department include provisions to limit that type of liability.
But Joel Slaughter, manager of corporate security for American Electric Power (AEP), said potential terrorists already have easy access to a large amount of critical infrastructure information.
"Because of FOIA, much of the information on critical infrastructure is out there in public today," Slaughter said. "Today, you can go on the Internet, and for less than $100, you can buy a map of the electrical grid in this country."
Slaughter added that it is "virtually impossible" for AEP to protect every inch of its 38,000 miles of electrical transmission lines. "It's going to come down to deep cooperation between state and federal agencies and industry to protect these facilities," he said.