Failure to Appreciate Cyber Attacks’ Danger Could Cost U.S.

"Cyberspace is not a leadership issue in this country,” said Marcus Sachs, Verizon executive director for national security and cyber policy. “The guys up on the Hill … have some cyber bills, but they're very more interested in things that are closer to the election that’s coming up.” While the White House says cyberspace is important, it’s not listed as a major issue on its website, he said. “The politicians are a special problem, because politicians are people people,” said Scott Borg, director of the nonprofit U.S. Cyber Consequences Unit. “They're the opposite of nerds, the opposite of geeks, and so they're really one of the last groups to come around to appreciating this."

"We're going to be attacked in cyberspace,” said Stewart Baker, former Homeland Security Department assistant secretary for policy. The U.S. has led global thinking on cyber attacks, but it’s also the most vulnerable country, he said. People aren’t taking the threat seriously enough, in part because so much information is classified and it’s hard to convey the threat to the public, he said. The U.S. is “great at overreacting,” but “it will take a disaster” to make the country proactive, said BT Chief Security Officer Bruce Schneier. There’s now “no political will” to make policy that may be unpopular to industry or other big groups, he said.

Writing cybersecurity mandates may be a pointless endeavor, said Borg. “The government can’t mandate with cybersecurity, because by the time they have specified what they want people to do, it’s not only going to be obsolete, it’s going to be an impediment to doing something better.” A better role for government is to become a “golden example” by securing its own networks, said Sachs. It shouldn’t issue prescriptive rules that don’t also apply to itself, he said. The private sector is far ahead of the government in securing networks, said Jason Healey, senior consultant for Delta Risk and formerly the White House’s director for cyber infrastructure protection.

As Congress spends money on cybersecurity, it mustn’t forget cyber crime originating inside the U.S., said Sachs. A lot of money is going to national security, but the Justice Department is getting “chicken feed,” he said. Part of the problem is “we haven’t made enough of a distinction between things that are cyber crime, and things that are cyber war,” said Healey.

Cyber attacks are becoming more dangerous as they grow more sophisticated, and more, critical aspects of civilization move online, said Schneier. “As what we do moves on to cyberspace, the attackers move there and we're forced to defend ourselves there.” Attacks are so easy to launch, “even a kid could do it,” and they have become more profitable because more people are adopting the Internet, he said.

Schneier called cyberspace a full-fledged “theatre of war,” and said a cyber attack could be as dangerous as a nuclear bomb given its potential to destroy key national infrastructure. Borg agreed that cyber attacks are comparable to nuclear attacks at least with regard to potential damage to the economy. He estimated that 72 percent of businesses would shut down if a cyber attack took out the electric grid. Sachs questioned comparing cyberspace to air, sea and land combat zones. Unlike those, cyberspace is “completely man-made,” and therefore “completely man-changeable,” he said. “At some point we have to come to grips with that, and realize that … what we currently call cyberspace, we don’t have to live with it. We can change it, we can modify it, we can make it whatever we want to be.”