F E AT U R E

Cybersecurity and the Critical Infrastructure:

Looking Beyond the Perimeter
By C. Warren Axelrod, Ph.D., CISM, CISSP
lmost all articles, reports and surveys on information
security, IT auditing and risk management are about
protecting the perimeters of organizations, preventing
attempted attacks from penetrating into internal environments,
and responding effectively if the intrusions are successful.
Very little is written about ensuring that the external
infrastructure is safe and secure. In fact, to the contrary, the
Internet is most often characterized as a modern Wild West,
with little or no law and order in place and little attempt to
rectify the situation.
This article takes a broader perspective and looks beyond
the bounds of an organizations cybersphere of influence and
asserts that IT audit and information security professionals
have a role in ensuring that not only are the systems and
networks under organizations purview and their direct control
protected, but also that the environment in which their
organizations infrastructures reside is secure. This is
radically different from the usual approach in that it suggests
that audit and security professionals role extends to the
cyberinfrastructure.

Figure 1IT Processes and Control Requirements

Mapped to Technology Types
Virtual
Perimeter of
Organization

Physical
Organization
Boundary

Physical
Country
Border

Definition of Cybersecurity
According to the draft National Infrastructure Protection
Plan, originally published in November 2005 and revised in
January 2006, the definition of cybersecurity is:

Virtual
Country
Border

The prevention of damage to, unauthorized use of,

exploitation of, and, if needed, the restoration of
electronic information and communications
systems (and the information contained therein) to
ensure confidentiality, integrity and availability.1

Physical
World
Virtual
World

Other ModelsTransportation

While the context of the definition is the national

infrastructure, the definition does not distinguish among
personal, organizational, national and global environments.
Also, while this does not specifically define a broader role,
it can be construed as encompassing the entire cyberworld in
its physical and virtual forms. Figure 1 illustrates the concept
of differences between physical and virtual perimeters at the
organizational, national and global levels. It shows how
companies may have a broad global span, and it illustrates that
physical and virtual realizations may not coincide. Certain
areas of the physical globe may be excluded from the virtual
world. Conversely, the virtual world may extend beyond
physical land borders, such as into the sea. Similarly, not all
locations of an organization are necessarily included in the
virtual entity, but the virtual organization may extend beyond
24

its physical perimeters into business partners, customers,

service providers and the like.

Seat belts, compressible front and rear sections, and air

bags are not the only means of protection for drivers. However,
if little or no attention were given to highway controls, such as
stop signs, traffic lights and guard rails, and there were no
oversight and response by law enforcement, the in-vehicle
protection devices would not be adequate. Also, if there were
not regular state vehicle inspections in the US, there would
likely be a raft of accidents due to inadequately maintained
vehicles. There would be chaos, despite the internal vehicle
safety measures. Outlaws would roam the byways and the
highways, vehicles would be unsafe, and honest diligent
citizens would cringe in their homes.
Similarly passenger aircraft have on-board safety devices,
such as seat belts and life jackets. There are also very strict
global air traffic control systems and inspections of the
continuing safety of aircraft. Many of the practices in aircraft
safety were influential in developing those for road vehicles, as
well as water-borne vehicles. This practice is still continuing
with discussions such as the use of black box recorders in
road vehicles.

I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 3 , 2 0 0 6

The general rule is that there are several categories of

protection, including:
On-vehicle designs and devices to reduce the damage caused
to humans (drivers, passengers) if a vehicle is involved in an
accident
On-vehicle devices to enable persons to fare better following
an accident
Traffic control rules and systems to ensure that participant
vehicles avoid accidents
Traffic control enforcement practices and tools to ensure that
vehicle operators are deterred from contravening the rules
Requirements to ensure that vehicles are maintained to
acceptable levels

After 11 September 2001

The security controls surrounding transportation changed
radically after terrorists used commercial airplanes to destroy
buildings in New York and Washington.
The doors of the airplane cockpits were secured, baggage
and passengers were checked rigorously, contents of trucks
were checked at the entries to bridges and tunnels and on the
open highway, and armed law enforcers were put on planes
and trains In addition, lawmakers, law enforcement and
defense agencies stepped up their efforts to detect suspicious
activities, individuals and groups.

Application to the Cyberworld

Similar measures, controls and devices are now applied to
the cyberworld, though some of the measures in place with
transportation do not yet exist in cyberdom.
Many are trying to isolate and protect their own private
systems and networks without paying much attention to fixing
the public cyberinfrastructure. Meanwhile, the outlaws are
moving up the food chain from recreational teenage hackers, to
organized crime and, potentially, to hostile nation states.
Therefore, answers must be found to the following
questionsand the sooner the better:
Do organizational citizens or individuals have any
responsibility for maintaining a safe cyberspace
infrastructure for all?
If so, how should we go about transforming the Internet into
a secure environment and enforcing controls?
Lastly, what business is all this of IT auditors and
information security professionals, and what should they be
doing to improve the situation?

Who Is Responsible for Securing

Cyberspace?
The real answer is that no individual, group or country is
controlling, managing and securing cyberspace. No federation
takes it upon itself to preserve and protect the whole of
cyberspace.
To get a better handle on this, it is important to examine
what roles and responsibilities are covered, how that
governance is being pressured to change, and where the largest
and most obvious gaps are.

ICANNYou Cannot
The Internet Corporation for Assigned Names and Numbers
(ICANN) manages and controls much of the Internet. Initially,

the US Department of Commerce (DoC) managed the Internet,

but ICANN, a private corporation supervised by DoC, took
over in 1998.2 ICANN is responsible for allocating Internet
protocol address space, assigning protocol identifiers,
managing generic and country codes, and managing the root
server system, according to its web site, www.icann.org.3
There have been heated international arguments that
ICANNs role should go to an international body, as other
countries have major issues with the US being able to determine
the basic rules of Internet structure and assignments. The United
Nations sponsored the World Summit on the Information
Society on 16 November 2005 in Tunis, Tunisia, with one of the
goals being to resolve this issue. The compromise outcome was
to establish the Internet Governance Forum (IGF) to discuss
Internet issues, while retaining exclusive US management of the
Internet. However the dominance of the US has resulted in
several countries, including China, threatening to create parallel
Internets of their own.
It is noteworthy that ICANN does not formally control
broader policy aspects, such as intellectual property rights, fraud,
spam, inappropriate and objectionable content, free speech, and
privacy. This job has been left to a loose federation of advocacy
groups [such as the Electronic Privacy Information Center
(EPIC); Internet service providers (ISPs), such as Earthlink;
vendors; federal and other government agencies; companies; and
individuals]and the job is not getting done.
At the Conference on the Future of the Digital Economy
hosted by the Organization for Economic Cooperation and
Development (OECD) in Rome, Italy, officials from large
technology companies pointed to the need for companies to
take the lead in securing the Internet to avoid government
intervention.4 Unfortunately, similar prior protestations have
not resulted in an upsurge in industry interest, and the feared
legislation and regulation have ensued.
Given this horrendous lack of security management, it is no
wonder that evil-doers, as well as businesses, institutions and
government agencies, are taking full advantage of nave users
in accessing information to put freely available information to
regular or ill-intentioned use.

Other AttemptsFutile or Otherwise?

There appears to have been significant activity in this arena,
judging from a recent article on the public/private relationship.
According to former Secretary of the US Department of
Homeland Security (DHS) Tom Ridge, the role of the
government is to:
Coordinate the effort among private-sector entities
Tie in the academic community
Pull in the expertise of government5
However, there is a wide gap between what is recommended
in the Presidents National Strategy to Secure Cyberspace and
what has been done as documented in the National Agenda for
Information Security in 2006 by the Cyber Security Industry
Alliance (CSIA).
While the gaps have existed for some time, they are widening
as the threats become more sophisticated and effective.

The Changing Threats

It is notable that the threats on cyberspaces availability,
integrity and defenses are rapidly mutating into increasingly

I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 3 , 2 0 0 6

25

dangerous forms. Yet, even the experts disagree on the

magnitude of the threat. At the E-Gov Institutes Security
Conference in Washington, DC, USA, in November 2005,
several opinions were expressed. Scott Borg, director of the
US Cyber Consequences Unit, stated, We will probably see
terrorist groups, criminal organizations putting together
combinations of talent.6 Borgs view is that, up to now, the
damage done by cyberattacks has been relatively small
compared to losses of many billions of US dollars that could
result from a coordinated attack on a critical US sector, such
as the electrical grid, banking and finance, or
telecommunications.
Borg recently said that enterprises must begin thinking
about more than just perimeter defense and that they have to
think about what theyre doing with their information systems,
how the bad guys are thinking, and what theyll be doing to
their computer systems.7
On the other hand, at the same conference, Howard
Schmidt, who was formerly a White House cybersecurity
advisor under Richard A. Clarke, was reported as discounting
the current problems on the Internet and did not see why any
urgent action is needed.
While one would hope that Schmidts more optimistic view
would be the case, there is increasing evidence that Borgs
opinion may be more accurate. The prospect of a Borg-type
scenario does not bode well for e-commerce going forward.
There is surely merit in taking early, proactive action rather
than living in the hope that it will not be as bad as some are
predicting.

Closing the Gap

There is clearly a widening of the gap among the rapidly
evolving modes of attack and security professionals ability to
counter them. In fact, the growth in new kinds of exploits by
increasingly motivated and dangerous groups is creating major
concern among the providers of services over the Internet and
their customers. Ernst & Young highlights this widening gap
in its Global Information Security Survey 2005.8 They see a
paradox between the rising number and intensity of threats and
the stricter regulatory environment in comparison to the
amount actually being invested in security.

Raising the Threat Bar

As the Ernst & Young study shows, the priorities of
companies with respect to security have changed, with
compliance with regulations now taking the lead over
worms and viruses and meeting business objectives as the
primary concern.
The New York Times recently devoted an unprecedented
three pages to the subject of spear phishing.9 In the article,
spear phishing is described as a hybrid form of phishing and
a distilled and potentially more potent version of phishing.
The regular phisher casts a broad, ill-defined net across
cyberspace, bombarding Internet users in general with
fraudulent e-mails or attracting them to baited web sites. On
the other hand, the spear phisher uses focused versions of these
and other techniques, including spyware and key loggers, to go
after specific victims.
With the increase in focus comes the greater likelihood that
an attack, aimed at harvesting personally identifiable
26

information, will be successful and that nefarious fraudulent

activities will result. Customer awareness efforts, which are
generally considered the cheap and easy way of reducing
fraud, are less effective with these new threats, as the
perpetrators are able to get around the traditional defenses.
In addition, the threats are adaptive in that they mutate into
increasingly effective exploits as fresh technologies introduce
additional vulnerabilities and the groups become more adept at
developing effective attacks.

Protecting the Critical Infrastructure

Given this information, what should companies and
individuals be doing to counteract these trends? Has there been
any specific guidance as to what should be done? The answer
is yes. A fair amount has been written and proposedbut
relatively little has been implemented.
In many regards, the blueprint was developed in the late
1990s with US Presidential Decision Directive (PDD) No. 63
on critical infrastructure protection (May 1998). PDD-63 laid
out the various actions that should be taken over a five-year
period to secure the sectors critical to the functioning of the
nation and the economy. Some headway was made under
former US President Clintons administration, particularly with
the formation of information sharing and analysis centers
(ISACs), with financial services being the forefront.
There was a distinct hiatus when the new administration
took over in 2001.10 However, in recent years, Homeland
Security Presidential Directives (HSPDs) No. 5 (February
2003) and No. 7 (December 2003) were issued. The former
required the Department of Homeland Security (DHS) to
coordinate the development and implementation of the
National Incident Management System (NIMS) and National
Response Plan (NRP), which were issued on 1 March 2004
and 15 December 2004, respectively. The latter mandated the
development of a national preparedness goal and gave DHS
the responsibility to manage the national Critical Infrastructure
and Key Resources (CI/KR) Protection Program.
Also, various national strategies and plans were developed
and published, culminating in the 234-page National
Infrastructure Protection Plan: Base Plan (NIPP), revised draft,
dated January 2006. The plan notes that the private-sector
CI/KR responsibilities can include such activities as:
Performing comprehensive and focused risk assessments
Developing awareness of critical dependencies and
interdependencies
Assisting and supporting federal, state and local efforts
Implementing protective actions and programs to reduce
identified vulnerabilities
Participating in federal, state and local government
emergency management programs
Adhering to recognized standards and industry best practices
Establishing resilient, robust and/or redundant operational
systems or capabilities
It should be noted that cyberspace protection, while
mentioned, appears subordinate to physical and human security
protection. While this certainly addresses everyones justifiable
concerns over physical well-being, it tends to downplay the
bloodless, yet devastating, disruptions that a cyberattack
can engender.

I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 3 , 2 0 0 6

Where Is the Private Sector?

It is fine to criticize government for not doing its part, as
the US Government Accountability Office (GAO) and various
partisan committees are quick to point out, but the private
sector hardly offers an exemplary image in this regard.
While several initiatives have been taken by particular
sectorswith the banking and finance sector recognized as the
leaderthere is still a long way to go on all fronts, and there
does not appear to be much in the way of leadership or
appetite to take on the issues of cybersecurity in either the
public or private sectors.
While it is true that lawmakers and regulators can force
some action, with governments credibility already badly
damaged in this space, it is hard to see an effective means of
initiating the magnitude of effort required to make it happen.
As a result, the burden is shifting to auditors and security
professionals to close the gap between what is and what should
be. The question is, are they equal to the task?

Guidance for Securing Cyberspace

The remainder of this article contains a list of suggestions,
based on the previously mentioned NIPP and other sources, to
encourage auditors and security professionals to address the
broader cybersecurity issues and develop a model that will
help achieve a high level of assurance as to the security of
cyberspace.
PDD-63 made recommendations in four main areas:
information sharing, research and development, vulnerability
and assessment, and awareness and outreach. Of these, the
greatest progress has been realized in the information sharing
area. These recommendations represent a good start from the
auditor and security professional perspectives.
Information Sharing
ISACs have been developed to provide notifications
regarding security threats/exploits, vulnerabilities, incidents
and resolutions. Typical inputs to an ISAC come from open
sources, vendors, members and government agencies. The keys
to success for an ISAC lie in the ability to:
Obtain up-to-the-second information from reliable sources
Provide for the ability of entities to report anonymously
Screen and analyze reports to determine authenticity
and severity
Obtain subject matter expertise on defending against and/or
fixing attacks
Encourage two-way sharing between public- and privatesector entities
Establish mechanisms for communication among ISACs
without compromising members
Encourage broad membership among eligible entities
There have been indications that all is not well in the
interactions between some ISACs and the DHS. It is crucial
for these relationships to be repaired as a top priority and for
the number of subscribers (or members) to be maximized. The
goal is to share useful information about security threats and
vulnerabilities among trusted members and, when advisable, to
restrict others, particularly those with evil intent, from gaining
access to that information. Clearly, hackers and fraudsters are
not similarly inclined. In fact, they take the opposite view
namely to broadcast vulnerabilities and methods of

exploitation to as broad an audience as possible to increase the

threat and potential damage.
One might argue that, from the perspective of financial
firms subject to the Gramm-Leach-Bliley Act and the
corresponding regulations, there is a requirement to subscribe
to some form of security alert service, such as an ISAC, to be
able to protect customers nonpublic personal information from
all anticipated threats.
It is incumbent upon security professionals, in particular, as
well as IT auditors, to require and verify, respectively, that
their organizations and/or those for which they are providing
services, are receiving and appropriately distributing
information about security threats, vulnerabilities and
incidents, obtained through alert services or other conduits.
Research and Development
One might think that research and development (R&D) on
security-related topics is far removed from the day-to-day
responsibilities of security professionals and auditorsand, in
many respects, that is the case. Such research is typically
conducted by vendors, academics and government agencies.
However, such a situation does not necessarily produce the
new information and the innovative services and products that
are most needed by organizations or provide the best guidance
in regard to relative priorities. It is likely that there is some
correlation between what is wanted and needed and what is
developed, since the goal of vendors is to produce products
and services that will sell well, the goal of academia is to
produce publishable results that will ideally lead to follow-up
research, and the goal of government agencies is to come up
with proposals for which budget money will be assigned. But
there is no guarantee that such a relationship will hold. There
are clearly many millions (if not billions) of US dollars spent
on fruitless and unimportant research projects from the
perspective of security and risk practitioners.
In performing their daily work, auditors, security
professionals and risk managers may not see the connection
today it is weak at bestbut, to effect more productive R&D,
practitioners must provide some input into the R&D project
selection process.
This is, in fact, beginning to happen in the banking and
finance sector. In particular, the Financial Services Sector
Coordinating Council (FSSCC) has established an industry
R&D committee composed of financial firms, government and
industry associations. The committee is charged with taking a
broader view of the R&D agenda in regard to cybersecurity at
large organizations and, specifically, in support of financial
services companies.
Vulnerability Analysis
The A in ISAC stands for analysis. However, the analysis
is somewhat general, covering not only vulnerabilities but also
threats, protection mechanisms, actual incidents, mitigation
strategies and the like.
PDD-63 and other documents relating to R&D stress the
importance of vulnerability analysis under the presumption
that, were one to eliminate all vulnerabilities, threats would
become moot.
Of course, in the real-world dynamic environment of the
Internet, where vulnerabilities are being announced by the

I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 3 , 2 0 0 6

27

minute and exploits against them are developed at breakneck

speed, it is absurd to believe that one might arrive at a situation
of zero vulnerabilities. One can but hope to keep current with
vulnerabilities, patches and other protective measures.
Consequently, one can justify expending money and effort to
merely stay abreast, to the extent possible, of newly announced
vulnerabilities.
Awareness and Outreach
Whatever the programs may be for sharing security
information, determining the R&D agenda and analyzing
vulnerabilities, not much progress will be made unless people
know about it.
Prior programs for informing corporate, academic and
government agency staff, and especially the public, were not
particularly effective, as enforceable standards have been
somewhat lacking.11

Conclusions

Indicative of the value of this franchise are its origins.

Previously, Network Solutions Inc. (NSI) performed the
allocation and assignment functions of the Internet. Systems
Applications International Corporation (SAIC) bought NSI
for a reported US $3 million in 1995 and sold it in 2000 to
VeriSign for US $15.3 billion in stock. Subsequently, in
2003, Pivotal Private Equity bought NSI for US $100
million.
4
Lyman, Eric J.; Forum Tackles Internet Regulation,
International Relations and Security Network, January 2006,
www.isn.ethz.ch/news/sw/details.cfm?id=14625
5
Armstrong, Illena; Standing Strong: Partnering for a Robust
IT Backbone, SC Magazine, February 2006, p. 26-34
6
Gross, Grant; Security Expert: More Sophisticated Net
Attacks Likely, PC World, 29 November 2005
7
Carr, J.; Cyberattaackers Take Aim, SC Magazine,
February 2006, p. 36-39.
8
A copy of the Ernst & Youngs Global Information Security
Survey 2005: Report on the Widening Gap can be
downloaded at www.ey.com/global/content.nsf/International/
Press_Release_-_2005_Global_Information_Security_Survey.
9
OBrien, Timothy L.; Gone Spear-Phishin: For a New
Breed of Hackers, This Time Its Personal, New York Times,
vol. CLV, no. 53,418, 4 December 2005, p. 3-1, 3-7 and 3-9
10
A particularly harsh assessment is contained in the report
Leaving the Nation at Risk: 33 Unfulfilled Promises from the
Department of Homeland Security, by the US House
Committee on Homeland Security Democratic Staff.
11
There are a number of efforts in progress to create generally
accepted principles and standards. For example, the
Information Systems Security Association (ISSA) is
sponsoring an effort to develop generally accepted
information security principles (GAISP).
3

The assertion here is that if security, risk and audit

professionals do not at least account for, and preferably
improve and monitor, the cyberenvironment as a whole, they
have not fulfilled their responsibilities. This might be
considered heresy since they and their review subjects do not
have direct control over the external cyberworld. However,
one can claim that they are, in fact, derelict in their duty if
they do not take the broader view. Also, if they do not, it is
likely that the lawmakers and regulators will eventually force
them to do so.
Financial regulators throughout the world are extending
responsibility for the protection of customer data beyond
corporate boundaries to include service providers, and beyond
country borders to include offshore facilities. Is it not then
reasonable to extend responsibility from the physical to logical
or virtual worlds? Should companies be responsible for the
protection of data beyond corporate and country networks to
the global cyberenvironment? What implications does this
have for due diligence, service level agreements, change
management, and the enforcement of policy and standards?
Yes, there are differencesincluding differences in relative
power and authority over private individuals. However, this
only means that methods need to be modified and extended,
not that the effort is pointless.
The bottom line is that, in todays cyberenvironment,
enterprises must take on responsibility for protection within
their perimeters, but must also be responsible citizens and
assume some degree of responsibility for the safe and secure
functioning of the world outside their gateways.

C. Warren Axelrod, Ph.D., CISM, CISSP

is director, global information security, for Pershing LLC, a
BNY Securities Group company, where he develops and
enforces corporate security policies, standards and
architectures. He is involved in the financial services industry
and at the national level with security and critical
infrastructure protection issues. He was a founder and board
member of the Financial Services Information Sharing and
Analysis Center (FS/ISAC) and is currently a member of the
Financial Services Sector Coordinating Council (FSSCC)
Research & Development Committee. He chairs the GAISP
Information Security Policy Principles Working Group and is
the author of Outsourcing Information Security (Artech
House, 2004).

Endnotes

Editors Note:

National Infrastructure Protection Plan: Base Plan,

revised draft (January 2006), is available at
www.ni2ciel.org/NIPC/Revised-Draft-NIPP-v2.0.pdf.
The definition of cybersecurity is on p. 120.
2
Kumar, N.; A. Mowshowitz; Who Should Govern the
Internet?, Communications of the ACM, vol. 49, no. 2,
February 2006, p. 35-37
1

28

Outsourcing Information Security is available from the

ISACA Bookstore. For information, visit
www.isaca.org/bookstore, e-mail bookstore@isaca.org, or
telephone +1.847.253.1545, ext. 401 or 478. The book was
reviewed in the Information Systems Control Journal,
vol. 1, 2006.

I N F O R M AT I O N S Y S T E M S C O N T RO L J O U R NA L , VO L U M E 3 , 2 0 0 6