Is America Building a Cyber Security Sand Castle?

William Crowell, former Deputy Director of the National Security Agency, helps explain how private sector efforts coupled with public sector policies can mitigate cyber threats

Security has had more than 20 years to adjust to life in the Information Age. That’s the equivalent of two or three lifetimes in high-tech years. But it seems every time we feel closest to truly securing our networks, data and information, cybersecurity once again slithers out of our reach. Why is that?

In part, it’s because quickly evolving technology turns threats and mitigation techniques into living, breathing things. It’s also because cybersecurity is not just about each of us; it’s about all of us. Individual users, businesses and agencies across the globe have excelled at protecting their cyber assets. But individual efforts, while critical, are not enough. Information technology connects us all — sometimes more closely than we would prefer. We all share the risks and the responsibility.

This is one of the messages coming out of this spring’s frenzy of media coverage, executive branch shake-ups and legislative action regarding cybersecurity in the United States.

Cross-Sector Failures

Much of the recent attention to cybersecurity has revolved around an April 8 Wall Street Journal report that claimed foreign “cyber-spies” had penetrated the U.S. power grid and left behind malicious software. Since these claims surfaced, lawmakers, editorialists and industry experts have repeatedly evoked the alleged infiltration to illustrate both the need to improve national cybersecurity and the potential consequences of inaction.

Here is a prime example of the interconnectedness of our cyber existence: If our power grid were to be compromised and manipulated for malicious purposes, it would pose significant problems for the electric industry in the form of damage, fines, loss of revenue and more. It would pose problems for other privately owned businesses, which could lose significant revenue during prolonged or targeted power outages, and which could stand at greater risk of theft and looting in such circumstances. And it would pose problems for the public sector, which would have to expend extra resources to confront a potential increase in crime and unrest that extended outages might bring, and which could lose some of its capability to effectively deploy defenses in the event of simultaneous terrorist attack, for instance.

When the Wall Street Journal story broke, it should have already been clear that critical infrastructure was not the only sector with a problem. In recent months, we have seen reports of network intruders accessing data from the Pentagon’s Joint Strike Fighter project, the FAA’s employee information records and the U.S. Air Force’s air-traffic-control system. The Cybersecurity Commission of the Center for Strategic and International Studies stated in its Dec. 2008 report, “Securing Cyberspace for the 44th Presidency,” that “America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration.” In its year-long examination of the state of national cybersecurity, the commission found that the Departments of State, Defense, Commerce, Homeland Security and NASA all experienced major intrusions by foreign entities in 2007 alone, and one department official reported that terabytes of information had been lost. It does not take much imagination to see how breaches of sensitive government and military information could negatively impact businesses and organizations across the private sector.

While private business outside of critical infrastructure seems to be largely off the hook this year with few high-profile data breaches in the news, their place in the chain of cybersecurity is particularly important. A data breach can have a major impact on their own bottom line — consider that Heartland Payment Systems has reported that the security breach it disclosed in January had cost the company about $12.6 million by May, and that price tag is likely to increase. But businesses’ well-being also strongly impacts the state of the nation. Coordinated, malicious attacks on private businesses could degrade an already struggling economy, and economic instability is historically associated with political turmoil, unrest and increased crime.

This content continues onto the next page...