The Bigger Truth

    The research in this brief presents a clear and compelling picture:

    1. Critical infrastructure organizations are under cyber-attack and they believe that things are getting worse.

    2. The security incidents experienced by critical infrastructure organizations vary widely, disrupt business operations, and carry high costs.

    3. Security professionals working at critical infrastructure organizations remain unclear about the U.S. government’s cybersecurity strategy. Nevertheless, this key constituency believes that Washington should be more active with its cybersecurity strategy and programs.

    ESG believes this brief should send a cogent and concise message to Washington. The U.S. Federal Government must engage with critical infrastructure security professionals, improve its communication by articulating a logical cybersecurity strategy, express a clear mission statement that includes success metrics, and find ways to provide help sooner rather than later. Of course it’s unrealistic to expect Draconian cybersecurity policies and regulations from Washington, but it’s apparent that cybersecurity professionals would like to see the U.S. Federal Government use its visibility, influence, and purchasing power to produce cybersecurity “carrots” and “sticks.” In other words, Washington should be willing to reward IT vendors and critical infrastructure organizations that meet strong cybersecurity metrics and punish those that cannot adhere to this type of standard.

    In 2009, President Obama stated, “…it's now clear that cyber threats are one of the most serious economic and national security challenges we face as a nation.” On the other side of the political spectrum, a recent press release on cybersecurity legislation from Senator John McCain (R-AZ) stated, “Every day we delay moving forward with this legislation, our nation grows more vulnerable, our privacy and security are increasingly at-risk, and our adversaries are further emboldened.” These declarations from political adversaries seem to point to bipartisan support for greater cybersecurity participation from Washington. Based upon the research presented in this brief, this type of commitment would be welcome with open arms by organizations within critical infrastructure industries.