When it comes to securing our nation's mission critical computer and Internet infrastructure, President Obama said, "Given the enormous damage that can be caused by even a single cyber attack, ad hoc responses will not do. Nor is it sufficient to simply strengthen our defenses after incidents or attacks occur. Just as we do for natural disasters, we have to have plans and resources in place beforehand -- sharing information, issuing warnings and ensuring a coordinated response."
That was three years ago. And now the FBI says that cyberattacks could overtake terrorism as the threat to the country. According to the Department of Homeland Security, between October 2011 and February 2012, there were 86 reported attacks on computer systems in the U.S. that control critical infrastructure, factories and databases, compared with 11 over the same period a year ago. To drive home this point, last month the Department even staged a mock cyberattack in New York, hoping to advance legislation that would put the president's message into action.
The staged attack was a valiant attempt to focus attention on an issue of crucial importance -- securing and insulating our nation's computer and Internet infrastructure from both internal and external attacks. While the ongoing (and almost deafening) Internet privacy debate is, at times, interesting (and sometimes even compelling), it is most certainly obscuring discussion about a threat that is, in reality, far more important. There are material, pressing and evolving questions about the state of our nation's computer and Internet infrastructure, and whether the companies that control its critical elements (including the internet, utilities, transportation systems, banks and other financial institutions) are sufficiently prepared to withstand attacks.
As a country and responsible citizens, if we have to choose, then shouldn't we focus the "conversation" on the very real possibility of crippling economic fallout resulting from an assault on our infrastructure? Let's put our daily conversations about information over-sharing in perspective and address what is by far the real danger to our security and national well-being.
The first step in anticipating large-scale cyber attacks is to start thinking of them more like the proverbial disaster waiting to happen -- not a question of if, but when. Planning requires going beyond the limitations of current thinking and considering worst case scenarios. The Department's mock attack in New York illustrates this approach.
Organizations such as the Red Cross have demonstrated how successful a coordinated and planned approach to managing physical disasters can be when you leverage the power of public and private partnerships. This strategy could be a blueprint for addressing our computer and internet infrastructure challenges.
I continue to hold out hope for such a solution, even as the latest versions of legislation like the Cyber Intelligence Sharing and Protection Act (CISPA) and Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act (PRECISE) are poised to arrive on the House floor for a vote later this month. Supporters are eager to lift the legal barriers that prevent private companies and the government from sharing knowledge of cyber security threats and how to combat them, despite the language tug-of-war between the tech community, that argues that the legislation is too narrow, and the privacy activists, who say the legislation is too broad. The simple fact remains that we have before us a serious threat that calls for serious collective action. Now is not the time to mince words, or worse, "opt out."