We're failing at cybersecurity, literally

President Barack Obama continuing with his efforts to reduce the impact of cyberattacks on our nation recently commissioned a national preparedness report. The report has been published, and the news is not good when it comes to cybersecurity.

The Federal Emergency Management Agency's National Preparedness Report was constructed to assess our country’s preparedness to respond to a wide range of crises, including cybersecurity. As many professional in the field of cybersecurity already know, this is an area that requires immediate action. In the assessment of core capabilities, cybersecurity came in dead last.

One of the key findings stated that cybersecurity and recovery-focused core capabilities are national areas for improvement. Interestingly enough, more than 60 percent of the states had identified cybersecurity as a high-priority capability. Even though cybersecurity is a high priority in more than 60 percent of the states, the average cyber capability level determined by this study was only 42 percent (an F), and 45 percent (another F) had not implemented a formal cyber risk management program. A possible contributing factor for this finding is that cyber-related grants have been minimal.

The most alarming disclosure in the report was that only 50 percent of owners and operators at high-priority facilities participating in the survey said that they report cyber incidents to external parties. The Security and Exchange Commission (SEC) recently released guidance to publicly traded companies about the required disclosure of cyber incidents. In fourth quarter 2011, the SEC issued CF Disclosure Guidance: Topic No. 2 (Guidance) related to the obligations regarding cybersecurity risks and cyber incidents for public companies. Given the SEC’s actions and many other contributing factors, many critical infrastructure providers now identify cybersecurity as a priority issue and executive management has become involved.

This is not a new threat and the vulnerability of our critical infrastructure has been known for some time now. It is mind boggling how slow this sector has moved to address the rapidly evolving threat of cyberattacks.