Defending Critical InfrastructureLow Visibility into Privately Owned Systems A Concern
Defending Delaware's critical infrastructure is a top challenge since a large part is owned by the private sector, says State Homeland Security Adviser Kurt Reuther, who details the challenges.
The private sector owns about 85 percent of the nation's critical infrastructure. In reviewing the state's cybersecurity threats, Reuther sees its vulnerable areas existing within the private sector, including banking and healthcare. "It's a little difficult for us to have a handle on that entire threat stream when we only understand the governmental side of it, the 15 percent as it relates to that threat at any given time," he says in an interview with Information Security Media Group's Eric Chabrow [transcript below].
Efforts to bolster security of the critical infrastructure revolve around coordination, particularly with the state Department of Technology and Information. "We really try to put out a progressive and positive message in terms of what people can do to protect themselves and what businesses can do to protect themselves," Reuther says. "It's truly our belief that from a cost-effective perspective, it's going to be much easier to protect or prevent an attack than it is to respond or recover from that attack."
In the interview, which took place in his Dover, Del., office, Reuther explains:
- His responsibilities as homeland security adviser, and the job's involvement with cybersecurity;
- How defending critical infrastructure such as electric and water systems requires an understanding of their cyber components;
- The role his office performs in building awareness among state residents and businesses to ramp up homeland defense.
As homeland security adviser for the past 2Â½ years, Reuther oversees state homeland security projects and serves as a liaison with the federal government on homeland security matters. Before being named homeland security adviser, Reuther spent three years as statewide law enforcement weapons of mass destruction coordinator.
Reuther began his career with the Department of Natural Resources and Environmental Control in 1983 with the Division of Parks and Recreation. In 1992, he was named Natural Resource's Regional Environmental Enforcement Officer for the Division of Air and Waste Management. In this capacity, he managed environmental and hazardous material emergencies. In 2004, Reuther was named chief of Air and Waste Management Enforcement. He also served a co-manager of the Natural Resources' Emergency Response Team and served as state on-scene coordinator for environmental and hazardous material incidents involving unified command and federal authorities.
Delaware's Homeland Security Adviser
ERIC CHABROW: First off, tell us what the homeland security adviser in Delaware does?
KURT REUTHER: The homeland security adviser in Delaware is essentially responsible for liaising between state government, local government and private-sector partners in Delaware to the federal system and the Federal Department of Homeland Security. As such, I try and stay up to speed or abreast of a variety of homeland security issues that might face Delaware, trying to establish policy working with our stakeholders and partners here to mitigate any threats that we have, and then conversely bring those types of issues up to the federal government so that we can as a state weigh in on policies and systems that they put in place at the federal level.
CHABROW: What's the relationship between homeland security and cybersecurity?
REUTHER: It's huge today. Director Robert Mueller of the FBI several months ago stated that cybersecurity is probably one of the top three homeland security threats in today's world. And as you and your constituents are well aware, we don't do anything in today's world without some cyber connectivity. When we start to look at intellectual property issues, traditional crime and theft, contractual competitiveness and the ability for the people to just disrupt our cyber way of life and our traditional way of life, to me it's huge. I don't believe we can have a discussion in homeland security without talking about cybersecurity.
CHABROW: Let's talk a little about cybersecurity and its impact on homeland security in Delaware. Can you give an example or two of the types of cybersecurity issues that you address here in Delaware?
REUTHER: When we take a look at homeland security in general, there's a lot of discussion surrounding critical infrastructure and key resources, and, as you're well aware, critical infrastructure and key resources run on cyber systems and are extremely reliant upon them. From a practical perspective, approximately 85 percent of the critical infrastructure in any jurisdiction is owned by the private sector, so the government layers only own approximately 10-15 percent depending on the jurisdiction.
When we start to examine cybersecurity, our vulnerable areas are within the private sector, the areas we hit on, banking and finance, research and development, personal information such as that might be held at a hospital database. It's a little difficult for us to have a handle on that entire threat stream when we only understand the governmental side of it, the 15 percent as it relates to that threat at any given time. One of our biggest challenges cybersecurity-wise is understanding the broad spectrum, the 100-percent threat stream, when we only have visibility into about 10-15 percent of that stream.
CHABROW: Is it the responsibility of the Safety and Homeland Security Department in Delaware to provide protection and coordination when it comes to cybersecurity threats? Is the coordination with the businesses or with the federal government?
REUTHER: It's really more of a coordination effort. Through our partners at the Department of Technology and Information in the state, we really try and put out a progressive and positive message in terms of what people can do to protect themselves and what businesses can do to protect themselves. It's truly our belief that from a cost-effective perspective, it's going to be much easier to protect or prevent an attack than it is to respond or recover from that attack. Our messaging is truly one of coordination, trying to enlist the support of other stakeholders so that together we sort of embrace this preventative and protection framework to prevent us from having that bad day where we are actually responding and recovering from a critical cyber event.
CHABROW: So a large part of your responsibility is creating awareness, getting people to work together and providing the cybersecurity?
REUTHER: Absolutely. It's all a matter of establishing relationships, discussing the threat streams, discussing the issues cyber intrusion may have and collectively putting our heads together to create a mitigating program that's not too restrictive on free economy and commerce, yet provides us the safety and security that we need.
Responding to Threats
CHABROW: And what are the challenges to accomplish that?
REUTHER: I have to be visible to you. I'm a police officer by training and when we talk about threats it's very easy to do, because it involves physical space. It's a suspect. It's building security. It's fencing. It is alarms. It is things that we can reach, touch, hear, smell and understand. To me, one of the larger issues with cyber is people tend not to think about it because you can't see it, feel it or touch it, but you certainly know when it goes away. It's taking folks away from that traditional feel of physical security, law enforcement, fire response, and all those types of things that we're very familiar with and then taking it to a level where you're trying to build awareness on something you really can't see, and trying to beat that level of complacency is difficult.