Interview: Mark Weatherford and Cybersecurity for Critical Infrastructure

The former VP and CSO at NERC says the electricity supply industry already has a mature cybersecurity framework it has been refining for more than seven years
The former VP and CSO at NERC says the electricity supply industry already has a mature cybersecurity framework it has been refining for more than seven years

Few people know as much about cybersecurity – or applying it on a public level – than Mark Weatherford. Currently a principal with The Chertoff Group, a broad-based security consultancy founded by the former DHS secretary, Weatherford built his resume first as a cryptology officer in the US Navy, then in the private sector, but most recently through a string of public sector roles that culminated in being appointed as the US Department of Homeland Security’s first Deputy Under Secretary for Cybersecurity.

It was late this past summer when I caught up with Weatherford, during the SINET Innovation Summit in New York City. President Obama’s recent executive order on cybersecurity for critical infrastructure was still fresh on the minds of many attendees, and was naturally on the agenda. “I had a big part in that before I left DHS”, Weatherford said of his role in developing the Administration’s executive order.

I asked him how severe is the cyber threat to critical infrastructure, and if the potential exists for loss-of-life events. “I think there could be”, he says candidly. He recalls the 2003 blackout over wide swaths of the Northeastern US and parts of Canada, and all of the services that it affected. “When you think about the organizations that provide security, safety, and healthcare services to society, that all of the sudden don’t have power…if this went on for a long period of time, it could be rather catastrophic.”

He also reflects on Hurricane Sandy, and the havoc it wreaked on the New York metro area’s inability to pump clean drinking water. Of course, he reminds me, these were not cyber-related attacks, but the breakdown of services illustrated the negative cascading effects of long-term outages that are a real possibility. There are survival issues at play here, he added, and when it comes to cyber-attacks on critical infrastructure, he surmised, “potentially it could be life threatening.”

Where the threat comes from misses the point, Weatherford claims. “That’s an intelligence issue, and I’m a security guy”, he tells me. “My job is to help companies understand what their risks are”, he says of his current role with The Chertoff Group. “It doesn’t matter to me whether it’s a terrorist, or a nation-state, or a hacktivist group; anything that can cause disruption or destruction is something – from a security perspective – that needs to be built into [organizations’] risk framework.” In his estimation, Weatherford comments, it’s not the who, but what they are able to do – it’s the actual vulnerability that’s the real concern.

When it comes to protecting critical infrastructure, Weatherford maintains overall praise for Obama’s executive order. Nevertheless, the private sector, in his opinion, maintains a level of distrust with respect to the ‘Preliminary Cybersecurity Framework’ that the order established, and was developed through NIST’s leadership. The problem, Weatherford suggests, is although the framework establishes voluntary recommendations, he asks what will happen if an organization experiences a cyber-related security incident, and has not implemented these ‘voluntary’ guidelines. There are potential legal ramifications at play here, he insists.

In his own words, “it’s perceived as a form of incrementalism”, Weatherford says of the NIST-led cybersecurity framework. His fear is that if applied too broadly or with extreme granularity, the framework would be the starting point from which more stringent regulations are built, and they may not necessarily apply to a particular business sector specifically. He cites as an example the electricity industry, which has already adopted such cybersecurity standards – after years of adjustments and revisions – that are far more mature than the broader framework NIST leading. “I think all of the other sectors that are not regulated…will be more concerned about this.”

The former DHS undersecretary and CISO says there are a few critical infrastructure sectors that have not been involved in developing the framework, but that the feedback workshops NIST has run have been productive nonetheless. “In all fairness”, he added, “there are elements of critical infrastructure that are very immature from an organizational policy perspective”, then there are some that are very mature – and all manner of those that lie in between. “There is an arc of discontinuity where some people are very involved, and some are not at all. But at the end of the day, there will be a baseline framework that will apply to everybody.”

NIST released its preliminary framework in October. Currently the cybersecurity framework is in its public comment period, and NIST expects to publish the final framework in February 2014.

What about the possibility of the US Congress passing a more comprehensive form of cybersecurity legislation that develops standards for critical infrastructure providers? Weatherford describes this possibility in one word: “dangerous”.

He references the fact that more than three-quarters of US critical infrastructure is owned by the private sector. “So Congress developing a standard that applies to everybody, means that Congress thinks they are smarter than the private sector, and that’s not true”, he says rather bluntly. I ask him if he indeed did work for the government at one time, and we both have a rather hearty chuckle. “Our mission at DHS was special, and it was primarily to work with the private sector – establishing relationships”, Weatherford responds.

Noting the complexity of many industries – and Congress’ penchant for reactionary behavior – he cautions on legislative action. “There are unintended consequences for doing things in areas that you don’t understand”, Weatherford concludes. An informed debate on the topic, along with the input of industry and experts in the area, would be required if such an approach were to be effective, he estimates.

“The purpose of the executive order was for the administration to recognize the importance of cybersecurity, and in the absence of doing nothing about it, show that it was doing something; and I think it was the right thing to do because it shines a light on cybersecurity. Quite frankly, Congress has not stepped up to the plate and done anything”, which Weatherford says he finds extremely disappointing. “Congress is letting partisan politics dictate their lack of direction on a subject that is of vital importance to the nation.”


For more on the topic of Cybersecurity in Critical Infrastructure, register for our FREE Infosecurity Virtual Conference today, live at 10:30 EST, Wednesday, Nov. 6, 2013. Or you can listen to the entire virtual event, including a live interview with Mark Weatherford, on demand beginning Friday, Nov. 8, 2013.


What’s hot on Infosecurity Magazine?