The Blackout of 2003, which remains under investigation this week, not only highlighted the vulnerable nature of the nation's critical infrastructure systems, but also reinvigorated the debate over government regulation of security in the private sector.
"A common explanation for the problems facing the electricity system is that private firms have had inadequate incentives to invest in distribution lines," said Peter Orzag, a senior fellow at The Brookings Institution in Washington. "We cannot simply let markets work; we must make markets work. We can't just leave it up to the market to protect us from terrorist attacks. Government intervention in some form will be necessary."
Orzag made those comments during a September 4 congressional hearing into the cybersecurity aspects of the blackout.
According to Orzag, a workable model would include a mix of government regulation, market incentives and a mandated requirement to purchase terrorism insurance that bases premiums on how well companies meet certain security standards.
However, some private-sector CIOs don't see the need for greater government intervention. They argue that the security reality facing companies today is enough to force even the most reluctant firms to do what is necessary to secure their enterprises, including taking proactive steps to work with the government.
"The ultimate responsibility has always fallen to the individual company and industry to do its best to protect itself," said Bruce Blitch, CIO at Tessenderlo Kerley , a chemical manufacturing firm in Phoenix. "The instinct for self-preservation never needed to be legislated."
From Blitch's perspective, the security effort has been characterized by close cooperation with the Department of Homeland Security and other government agencies. "Had those agencies dictated requirements to industry without the benefit of that collaboration and cooperation, it is extremely unlikely that the reaction would have been anywhere near as good as it has been," he said.
Joseph Puglisi, CIO at Emcor Group , a mechanical and electrical construction firm in Norwalk, Conn., agreed. "The DHS has been some help in alerting us to new threats ... since (Sept. 11)," he said. "But the onus remains with us to both educate and enforce good practice."
The most important initiative for the government to undertake now would be to force the Securities and Exchange Commission to require publicly traded companies to report on information security readiness, said John Pescatore, an analyst at Gartner "But we haven't seen any movement on this at all."