FSB Set to Parry Cyber Attacks on Russian Critical Infrastructure

By Khatuna Mshvidobadze

Copyright © 2012 Potomac Institute for Policy Studies

As Americans debate how to protect critical infrastructure from cyber attacks, Russia has—on paper at least—moved to protect its strategic assets.  The Security Council of the Russian Federation has released a document aimed at creation of a unified government system to detect, warn against and prevent cyber attacks.  Unlike America, in Russia there is little debate about who will be in charge—the FSB, of course.

The Security Council document takes a step toward implementation of the National Security Strategy of Russia until 2020, which calls for IT infrastructure improvements.  In particular, the document calls for protection of the industrial control systems of strategically important facilities—roughly what we would call critical infrastructure.  These are defined as assets whose malfunction could negatively affect a region’s or the country’s economy.  Interestingly, there is no public mention of national security or loss of life in this definition.

The plan is to be implemented in three phases: 2012 to 2013, 2014 to 2016 and 2017 to 2020. The first phase involves development of an action plan.  During the second phase, the Russian state should develop legal regulations, specific organizational responsibilities and the means to “liquidate” cyber incidents.  (To “liquidate”—a commonly used word in Russian—could involve just about any kind of cyber measures.)  The plan for the second phase also calls for establishment of a unified government situation center for detection and prevention of cyber attacks on critical information infrastructure. This center sounds like some kind of a national CERT. The third stage, among other things, involves integration of security systems at the strategically important facilities.

Many Russian experts are skeptical.  Consultant Mikhail Emelyannikov, for example, told Russian IT Review, “It is unclear how technological independence from other countries in terms of automated control system security will be maintained when most of them are produced abroad.”

It is almost certainly not a coincidence that, a few days after the Security Council document was released, Kaspersky Lab posted job vacancies for personnel with SCADA experience.  The posting says that Kaspersky Lab is developing a new secure operating system.  “The vacancies,” writes Russian IT Review, “are perhaps the first testimony to the Lab’s intentions to enter the industrial IT system market.”  By the way, Russian President Vladimir Putin has been expressing security concerns over foreign-produced hardware and software since he took office in 2000 and the matter is addressed in the 2000 Information Security Doctrine.

Emelyannikov also wonders why the Security Council document makes no mention of the Russian Federal Service for Technical and Export Control (FSTEC).  “All the features of the program are assigned to the FSB…Meanwhile, the implementation of the policy guidelines requires a large number of regulations, some of which, in accordance with the current documents, are in the competency of the Federal Technical Committee.”

Apparently, just two months into his third term as Russia’s president, Putin is acting on matters that have concerned him for over a decade.  The Security Council has identified cyber attacks against critical infrastructure as a national security threat—and the FSB is Russia’s security service.

On Sausages and Cyber Security Laws

By David J. Smith

Copyright © 2012 Potomac Institute for Policy Studies

“As Congress recesses for the national election,” Government Security News (GSN) reports, “the White House is close to issuing an Executive Order (EO) on cyber security in the coming days.”  The EO is meant as at least partial compensation for Congress’s failure to pass cyber security legislation last August.  Despite a standoff between Congressional factions with very different approaches to cyber security, just about everyone agrees that some kind of legislation is needed.  The frustration is understandable, but is an EO at this moment a good idea?

Writing on CSO Online, Taylor Amerding offers a good overview of the arguments that various observers are making for and against the EO.  Most of them are just restatements of positions on the content of the dueling bills that foundered in Congress two months ago.  There is not much point in rehashing shopworn arguments.  Moreover, we do not know exactly what will be in the EO.

Reports based on leaks say that the draft document will order executive departments to develop within 90 days a voluntary set of cyber security standards for private companies that operate critical infrastructure.  Reports also suggest that the EO will establish a Cyber Security Council to be chaired by DHS.  Both measures were featured in the revised Lieberman-Collins Cyber Security Act, a compromise attempt that failed to garner sufficient support in the Senate last August.  However, an internal Administration debate on the EO’s content may still be underway.

Department of Homeland Security Secretary Janet Napolitano told a September 19 Senate Homeland Security and Governmental Affairs Committee hearing, that the EO “is close to completion, depending on a few issues that need to be resolved at the highest levels.”  Another indication that the content of the EO may still be up for grabs is a September 24 letter from Senator Joseph Lieberman (I-CT) to President Barack Obama.  Therein, Lieberman urges Obama “to explore any means at your disposal that would encourage regulators to make mandatory the standards developed by the Department of Homeland Security pursuant to your Executive Order.”

We just do not know enough to discuss the EO’s content.  However, one discussion category that Amerding mentions demands our attention now: “The President should not circumvent Congress on a matter of this importance.”

Lieberman encourages the President to proceed with an EO, stressing the danger of inaction.  “The danger is real and imminent,” the Senator’s letter says, “yet we have not acted to defend against it.”  That is true; however, an EO will not change much in the imminent future—the executive departments may even be given 90 days to make recommendations.  That would take us just about to Presidential Inauguration Day.  Moreover, Administration officials admit that an EO cannot do all that needs to be done.  For example, they point out that the President lacks the legal authority to grant legal protection to companies that choose to share cyber threat information with one another and with the government.

That alone means that the matter must again be faced early in the next Congress.  Despite repeated Administration assertions that legislation will still be needed, issuing an EO in October could create the appearance—or the excuse—that cyber security is not so urgent early in 2013.

Moreover, attempts to add tougher provisions to an EO now may only heighten suspicions for the Congressional debate later.

Most importantly, AlienVault CTO Roger Thornton told CSO Online, “A mandate backed by Congress and the President would probably be more effective at convincing the private sector.”  Particularly when our nation faces a new and patchily understood matter like cyber security, the legislative process serves a purpose.  It may be a long process, frustrating and even painful, but in the end it is more likely to forge needed consensus than any other approach.

Although the attribution is probably apocryphal, Otto von Bismarck is said to have remarked, “If you like laws and sausages, you should never watch either one being made.”