a cyber time bomb on Saudi Oil company Aramco, which destroyed 30,000 corporate computers. In September, Iran was again believed to be the culprit behind a slew of massive attacks that took down a string of U.S. banks’ web sites. Only a month later, a breach in the South Carolina Department of Revenue resulted in the theft of 3.6 million Social Security numbers.
So far, no one has managed to seriously damage or disrupt critical U.S. infrastructure networks. But it doesn’t take much to imagine the consequences of a hugely successful cyber attack, one that outgoing defense secretary Leon Panetta has said could amount to a “cyber-Pearl Harbor.” In a future conflict, an adversary unable to match our military supremacy might seek to exploit our computer vulnerabilities domestically. Scuttling vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency. Or there could be power blackouts that bring business, cities and entire regions to a standstill. Imagine the impact of electronic banking networks that ceased to function.
We must avoid this future. Americans rightfully expect basic security protection. That’s why water treatment plants must test their water regularly for containments, why airplanes have secure cockpit doors and why nuclear power plants have fences and other defenses to thwart a terrorist attack. Much better cyber security must be added to the list.
Possible Solutions: Cyber Collaboration Between Industry and Government
While I am not usually an advocate of legislation as a foundation for addressing critical commercial challenges, cyber is one area where the nature of the threat transcends a clear government/free-market divide. The threats and challenges raise to the level of National Security threats and any point of failure could have catastrophic consequences. It is time for close collaboration and cooperation between government experts—some of the most talented cyber defenders in the world—and operators of critical commercial infrastructure in the free-market economy.
This will require trust between groups that are not normally comfortable with one another, as well as legislation that will allow for collaboration while ensuring legitimate privacy concerns. Further, a standard for data security and identify management must be implemented to insure that confidential and sensitive data is not vulnerable to external threats. Access control, authentication, data integrity, and accountability must be the minimal expectations for data (and networks) at risk.
Legislation should extend to ensuring that cyber breaches cannot be swept under the rug as a “cost of doing business.” Given the risks—for individuals, enterprises, the economy, and the government—transparency may be the most effective motivation to ensuring the sufficient attention is paid to cyber vulnerabilities in advance of a successful breach. Ubiquitous access demands ubiquitous security. Where security is not ensured, access must be restricted.
The possibility of a U.S. economic Armageddon is too high not to pursue such goals. Cyber attacks have grown well beyond a Washington problem of securing our bases and defense from penetration. They have started to affect Main Street and the bank accounts of millions of individuals and small businesses. The trillion-dollar theft of our intellectual property will seem like small potatoes when the derivatives of stolen IP are focused on competing with US industry in the global economy. The threats are real and the consequences ominous if we do not move to aggressively address and reverse the current trends.
