Getting the U.S. to prioritize the overhaul of vulnerable, dated information networks may not be easy amid economic turmoil and demand for a quick-fix stimulus
Plenty of companies are lining up for a share of the billions of dollars in federal economic relief, citing doomsday scenarios in the event they don't get bailed out. Few can match the worst-case scenarios set forth by cyber-security proponents.
Consider remarks before Congress last year by O. Sami Saydjari, CEO of Cyber Defense Agency, a security research and consulting firm, and a former official at the Defense Dept.'s research arm, DARPA. Following a major cyber-attack, he told legislators, electricity, banking, and communications could all go dead, leaving Americans scrounging for food, water, gasoline—even hunks of firewood traded on the black market.
Even with that chilling warning, Saydjari and his colleagues didn't make much headway with Congress and the Bush Administration. They now hope that President-elect Barack Obama, who stressed the importance of cyber-security on the campaign trail, will channel stimulus funds to strengthening the security of the U.S. information networks.
National Defense at Stake
To that end, a 44-page report by the Commission on Cybersecurity, a bipartisan panel that includes executives, lawmakers, and military officers, outlines an ambitious defense program (BusinessWeek.com, 12/7/08). Saydjari estimates that the job will cost from $30 billion to $50 billion, take five years, and employ tens of thousands of engineers and scientists.
Obama's campaign rhetoric aside, cyber-security may still be a hard sell politically to a public that wants instant results. The plans outlined in the report are not "shovel-in-the-ground projects," Saydjari explains. The first year would largely be spent studying the vulnerabilities and outlining a response. Most of the spending—and jobs—would come in years two through five. This work involves rearchitecting the very systems that sustain our information economy.
But economic stimulus is only one aspect of cyber-security. The far more important issue is national defense. Saydjari and other experts stress that the U.S. economy is built upon networks that are vulnerable to attacks. These could come from hackers, terrorists, or even national governments.
Counting on Obama
Jeffrey Carr, who heads an open-source cyber-defense study group known as Grey Goose, says that cyber-defense reports are already circulating among Obama transition team officials. "We're hoping that they'll support a reinvigorated and more expansive effort right out of the gate," he says.
The U.S., as a pioneer of information networks, faces special challenges: a mixture of aging legacy systems. China, by contrast, operates on a newer, far more secure set of Internet protocols. So in the worst-case scenario, China could launch a pre-emptive attack on U.S. networks, and the U.S. would be hard-pressed to mount an effective response.
With the launch of the Russian Sputnik satellite in 1957, U.S. military analysts quickly woke up to the strategic challenge presented by space exploration. It was a crucial theater in which neither Cold War power could afford to cede dominance to the other. Saydjari says that information networks constitute a vital "underspace."
Building Digital Bulkheads
Early work, he predicts, will be to segment pieces of the information architecture so that an attack in one sector will not spread to others. He compares this to the partitions known as "bulkheads" in ships, which prevent rushing water from sinking the entire vessel.
Past efforts to persuade the government to improve cyber-defense have been sidelined. In 2002 a group of scientists sent an urgent letter to President Bush asking for rapid action to defend American cyber-space. "There is no doubt that such a serious national vulnerability is a real and present danger," they wrote. "Many nations, including Iran and China, for example, have already developed cyber-offense capabilities that threaten our economy and the economies of our allies."
The Administration pushed forward with other priorities, including the wars in Afghanistan and Iraq. However, on Jan. 8, the President approved a vast Cyber-Defense Initiative. Much of the early work, according to an interview with Melissa Hathaway, who oversees cyber-defense under the Director of National Intelligence, is reducing the number of the government's Internet access points, so that they can be more easily controlled and defended.
Cyber-Security Czar Needed
Saydjari says the effort must reach throughout society—securing even the computers in homes and offices. This will involve agreeing on safe industry standards with leading tech companies, and extending awareness throughout the nation's companies and schools. And to be effective, the effort requires a cyber-security chief who reports directly to the President.