Washington, DC, July 31, 2006--Testifying before a Senate Homeland Security and Government Affairs Subcommittee today, Karl Brondell of State Farm Insurance Companies warned that the U.S. is not adequately prepared for a cyber catastrophe, outlining the significant gaps in current response plans for restoring the Internet following a catastrophic cyber disruption identified by a Business Roundtable report.
Brondell, a strategic consultant in State Farm’s Strategic Resources Department, also detailed a series of Roundtable recommendations for government and businesses to improve identification and assessment of cyber disruptions, to coordinate responsibilities for Internet reconstitution, and to make needed investments in institutions with critical roles in Internet recovery. Business Roundtable is an association of 160 chief executive officers of leading U.S. companies, and State Farm leads the Roundtable’s Cyber Security Working Group of its Security Task Force.
Brondell commended the Senate panel for its interest in improving procedures to ensure recovery of the Internet following a major disruption, noting that this is a serious problem that should be addressed. He said that the Roundtable report, Essential Steps Toward Strengthening America’s Cyber Terrorism Preparedness, found the U.S. is ill-prepared for a cyber catastrophe due to a lack of coordination between the public and private sectors that would be critical to restoring the Internet following a disaster.
“Progress has been made over the past decade on technical issues, such as establishing computer security readiness teams in government and gaining a better understanding of cyber risks,” Brondell testified. “However, other issues have not been addressed, such as strategic management and governance issues around reconstituting the economy and shoring up market confidence after a wide-scale Internet failure.”
The Roundtable report identified major gaps in the U.S. response plans to restore the Internet:
Inadequate Early Warning System--The U.S. lacks an early warning system to identify potential Internet attacks or determine if the disruptions are spreading rapidly.
Unclear and Overlapping Responsibilities--Public and private organizations that would oversee recovery of the Internet have unclear or overlapping responsibilities, resulting in too many institutions with too little interaction and coordination.
Insufficient Resources--Existing organizations and institutions charged with Internet recovery should have sufficient resources and support. For example, little of the National Cyber Security Division (NCSD)’s funding is targeted for support of cyber recovery.
In its report, the Roundtable concluded that these gaps mean that the U.S. is not sufficiently prepared for a major incident that would lead to disruption of large parts of the Internet and the economy.
In addition, the Roundtable report made a series of recommendations for responding to the challenge, including a public-private partnership that identifies and acts on ways to improve collaboration. The recommendations include:
Coordination between government and business of initial efforts to identify when an Internet attack or disruption is occurring; Creation of a federally-funded panel of experts --from business, government and academia-- who would assist in developing plans for restoring Internet services in the event of a massive disruption; and
Implementation of large-scale cyber emergency exercises, with lessons learned integrated into programs and procedures. These exercises should include senior government and business executives who are fully authorized to act during a cyber emergency.
“Without these changes, our nation will continue to use ad hoc and incomplete tools for managing a critical risk to the Internet--and to our nation’s economy and its security,” he said.
