Despite the banking industry's perceived success in the area of security, a recent
spate of money laundering schemes in the banking industry, including a $1.4 billion
scam against Citigroup Inc. and Commercial Bank of San Francisco that lasted nine
years, raises serious questions about the status of security in the industry, said
Horton.
Likewise, the airline and telecommunications sectors have come "under siege" as a
result of deregulation and the current climate of mergers and acquisitions, said
Horton. A senior White House official said yeaars of a "systematic underinvestment in
[electric power] grid capacity," combined with the effects of wholesale deregulation,
has created a "potentially perilous [security] situation."
But two CIOs from the natural gas and electric industries said that security
protections against cyberattacks in their industries are being addressed constantly,
although the national effort lacks a useful gauge for how much security is enough.
"If you don't have any attacks, it's easy to let the program slip," said Jon Arnold,
CIO at the Edison Electric Institute in Washington, a trade association that represents
100 investor-owned electric utilities.
What's it all for?
Gary Gardner, CIO at the American Gas Association in Washington, said he sometimes
wonders what the industry gets in return for its cooperation with the government. "To
some extent, I don't know what sharing all this information achieves for us, which is
what the oil industry has said as well," said Gardner, adding that FBI warnings on
the "I Love You" virus didn't arrive until two hours after it hit his company's
offices.
Bruce Freeman, CIO at Burlington Northern Santa Fe Corp. (BNSF) in Fort Worth,
Texas, said his company became concerned about infrastructure security four years ago,
partly because a security consultant was able to persuade 97 out of 100 BNSF employees
to divulge their system passwords and user IDs.
Freeman said the railroad immediately entered into an aggressive training campaign
to educate employees to be more secure. He said the company also beefed up its
infrastructure security.
Gene Gorzelnik, a spokesman for the North American Electric Reliability Council
(NERC) in Princeton, N.J., said all the sectors are making progress, but admittedly at
different speeds. "You can't build something from nothing overnight," he said.
The NERC is presenting written recommendations for the Clinton plan.
Linda Rosencrance contributed to this story.
