A massive cyber attack on American infrastructure is the 21st-century equivalent of the neutron bomb. All buildings remain standing but systems inside them are rendered useless. Human beings aren't killed on a large scale, but few, if any, are left standing either. And while this sounds pretty dire, it's quite likely some segment of this nation will at some time be shut down by cyber terrorists.
Late last month Janet Napolitano, Obama's homeland security chief, made some startling statements at a live event on cyber security sponsored by the Washington Post. For example, she said that hackers have "come close" more than once---maybe several times, or maybe many times---to compromising critical segments of America's infrastructure. In particular, she mentioned that big banks and transportation systems were popular targets for cyber attackers. When she was asked how many cyber attacks might have occurred during her 45 minute conversation, Napolitano replied, "Thousands." And if that weren't enough by itself, her most ominous remark was delivered in almost desultory terms: "I think we all have to be concerned about a network intrusion that shuts down part of the nation's infrastructure in such a fashion that it results in a loss of life."
It goes without saying that if an attack successfully shut down essential services, people would die unnecessarily. Curiously, Secretary Napolitano's remarks didn't attract a great deal of attention because it wasn't news like it used to be. Large-scale data breaches or security hacks themselves are reported, but not highlighted as much, because they happen so frequently. It's similar to the criticism that the media sometimes considers shootings in "bad" neighborhoods as common occurrences and no longer really treats them as newsworthy. As a result, the near-apocalyptic observations about a hidden part of America (the binary bits of the cyber highway) by a cabinet level officer also seemed to go unnoticed, drowned in a sea of news about gridlock in Washington, collapsing governments in Europe, and the brain blips of certain presidential candidates.
By this time we all know that most major institutions of government and industry have been hacked in some way, shape or form. Millions of people were compromised when Sony, Citibank, the Department of Veterans Affairs, contractors for the Department of Defense and others were successfully breached.
At least we heard about those.
A couple of days ago, Virginia Commonwealth University disclosed that a server containing files with the personal data, including Social Security numbers, of 176,567 current and former students, faculty, staff and affiliates had been compromised. From what I can tell, this breach wasn't reported anywhere except in local media and some security and tech websites. So I guess we're not likely to hear much about breaches of this type as time goes on, because they've become the equivalent of "white noise." But especially after hearing Ms. Napolitano's comments, perhaps we don't hear about other cyber attacks---hopefully far less common---which are directed at hurting all of us instead of just some of us, for very different reasons.
The government has tacitly acknowledged that the war is on, which can be deduced more from actions than from words. The Department of Homeland Security is hiring 1,000 cyber security specialists, and the always covert NSA is looking to hire 3,000. At DEFCON, the Las Vegas convention of hackers held last August, representatives of Homeland Security, NASA, the NSA, and the CIA were among the 10,000 attendees. For the agencies, it was a massive job fair, presuming that one could distinguish the white hats from the black hats during the interview process.
If you've ever read a copy of The 9/11 Report, you know that interagency cooperation is not necessarily a foregone conclusion. Indeed, there was some credible speculation that the 9/11 plot might have been uncovered and thwarted had the alphabet agencies been amiable instead of antagonistic. So while maybe it's a good thing that everybody's trying to hire people to fight the bad guys, two questions remain: why are they scrambling to staff up now, rather than a couple of years ago when the problem was already obvious (do they know something we don't?); and what makes anybody think all of these government agencies that at some level compete with one another can work together as a team, or better yet, as an army?
In the good old days, Ronald Reagan defeated the Evil Empire (aka the Soviets) by outspending them. The thinking was simple---America would keep building more armies and more armaments against an enemy that simply could not keep up financially. It worked, didn't it? And although those old Cold War enemies, China and Russia, are the most often-named potential thieves of American PII (that's personally identifiable information), fighting hackers is much more like a land war in Asia than anything else. The enemy doesn't follow any rules, doesn't wear uniforms, can be very hard to identify or even see, and may or may not be associated with an actual nation-state. As you and hopefully some officials in Washington may recall, fighting land wars in Asia just isn't our thing.
The U.S. government needs to be certain that our response to this genuine and massive threat is not as bureaucratic and fractious as everything else that goes on in Washington these days. We can't just spend our way out of this since the bad guys have as much, if not more, money, sophistication and sophisticated technology than we do. We need an organized and centralized cyber-army. We need a population sufficiently informed of the risks so that "if we see something, we say something" and we do something. And, most of all, we must acknowledge that of all of the potential catastrophes faced by this nation in the 21st-century, a cyber attack from a dedicated enemy---be they a terrorist group, a competing nation-state, or just a bunch of crazies along the lines of the villains in the titles of James Bond novels---is the one to whom we are most vulnerable.
This article originally appeared on Credit.com.
Follow Adam Levin on Twitter: www.twitter.com/@Adam_K_Levin
Y2K!
Y2K!
Ok enough of the condescending critique. I have to say that us normal computer folk are puzzled that there is no standard mandated by the government for security standards for those who handle consumers' personal and financial data. Even if there were standards, there is no law that I know of that penalizes companies when their usually lackluster to downright incompetent cyber-security is breached (the penalties for consumers are vast while recourse is limited and shrinking quickly). If they are going to put these boogy-man stories out there, it would be much more constructive if they also asserted a plan (or even the notion that there is in fact a plan) to make the consumers who's data is stolen whole again, and, more importantly, to stop chasing bored 17 year-olds looking for a challenge or to rebel. Meanwhile, I can't even get a large media company to admit or even acknowledge that they wrongfully sent me a check for $0.39 (not that I mind, but how did they get it deposited in my bank account if I cannot, and have not used any of their services.) Something is profoundly wrong with security in cyberspace and anyone who works in the industry knows it...