Dave McCurdy, a former member of the U.S. House of Representatives with a Department of Defense security clearance, has been waiting for a year to receive clearance from the Department of Energy.
McCurdy, who now serves as president and CEO of the American Gas Association, testified at a U.S. Senate Committee on Energy and Natural Resources hearing on April 4.
“We need to reform the process by which industry leaders receive security clearances,” McCurdy said. “Despite my long history of service in the government intelligence space, and despite my existing Department of Defense security clearance, I still have not received a DOE security clearance. I applied well over a year ago.”
Gerry Cauley, president and CEO of the North American Electric Reliability Corporation, agreed with McCurdy, stating that classified information and high-level security clearances can impede information-sharing when it comes to cyber threats.
“I firmly believe we cannot win a cyber war with regulations and standards alone. Industry must be agile and continue to adapt to threats,” Cauley said. “When there’s a crisis and things need to be done quickly, standards aren’t the solution.”
Agencies at the state and local level need to adopt cybersecurity practices that cater to their individual needs, according to many of the experts who testified at the Senate hearing. Patricia Hoffman, acting assistant secretary of DOE’s Office of Electricity Delivery and Energy Reliability, stated that the agency does not have a single model for cybersecurity regulations, but rather recommends certain components that could contribute to a successful cyber strategy.
Since 2010, DOE has invested $210 million in cyber research. While DOE does not perform assessments for individual agencies, the agency provides “energy assurance plans.” Hoffman said that all states are in various stages of setting up cyber postures.
“It’s a work in progress at every state,” Hoffman said. “I think states really have the opportunity to look at critical infrastructure.”
However, Andrew Bochman, senior cyber and energy security strategist at the Idaho National Laboratory, defended the standardized “check boxes” method of combating the “now-daily drumbeats of cyberattacks on U.S. government and private sector systems.”
Bochman said that standards offer a foundation for cyber well-being on which entities can subsequently build.
“You’ve got to achieve a basic level of hygiene first. You brush your teeth and eat vitamins and exercise so that you don’t fall prey to all manner of infections or bugs that could slow you down or worse,” Bochman said. “Cyber risk futurists, myself included, are experiencing a palpable sense of foreboding, never more so than when I study the current state of cyber-measure and cyber-countermeasure activities.”
Insider threats, in addition to cybersecurity standards, are another major area of concern for the experts who testified. Cauley said that dangerous insiders can permeate an agency and even pass security clearance regulations. For example, he said NEARC detected a suspicious person had been granted a security clearance a couple of years ago.
Training employees and cultivating a larger cybersecurity workforce are two solutions to insider threats, according to Bochman.
“When an attacker successfully phishes you, they are an insider. They can proceed at pace. They’re not hacking,” Bochman said. “There’s an incredible dearth of utility-quality or industry-quality control systems security personnel in the country. Probably in the world.”