Yesterday, Defense Secretary Leon Panetta gave a dire warning of cybersecurity threats at the Intrepid museum in New York. Panetta said that the U.S. could face a “cyber Pearl Harbor” and described how a cyber attack could, “derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
Hmm, when have I heard a similar description? Oh yeah, it was 1998 when Deputy Defense Secretary John Hamre cautioned the U.S. Congress about Critical Infrastructure Protection (CIP) by warning of a potential “cyber Pearl Harbor.” Hamre stated that a devastating cyber attack “… is not going to be against Navy ships sitting in a Navy shipyard. It is going to be against commercial infrastructure.”
So various senior folks at DoD have been issuing the same warning for 14 years or in Washington terminology, 4 administrations. Within this timeframe, the volume and sophistication of cyber threats has grown exponentially. What have we done during this timeframe to actually improve cybersecurity readiness in the critical infrastructure? Almost nothing.
Based upon my intelligence sources, I believe we should expect a few disruptive cyber attacks fairly soon. How bad will they be? Tough to say but as a general rule, about 20% of enterprise organizations are fairly well prepared. The other 80% are extremely vulnerable.
The struggle of course is what we do to become better prepared. Personally, I don’t think that we can address cybersecurity vulnerabilities without further regulations but I’ll leave this aside for now. At the very least, we need to do 3 things:
1. Assess the size of the problem. ESG has compiled hundreds of pages of market research over the past 5 years and we are not alone. So have other analyst firms, think tanks, universities, government agencies, and private companies. We need to peruse this research, conduct further research and get hard metrics on how exposed we are. We also need to produce some risk management calculations here. What are the threats, what are the vulnerabilities, and how valuable are the assets (or services) involved. In this way, we can prioritize our efforts.
2. Increase awareness. The term cybersecurity sounds like something Orwell might have coined. To achieve broader awareness, we need to eschew geek-speak and educate the American public. Efforts like cybersecurity awareness month and websites like www.staysafeonline.org are a great start but somewhat limited. We need a public awareness campaign akin to “Smokey the Bear” that starts in public schools and continues to reach out to adults who go on-line. As part of cybersecurity awareness, shareholders should also be educated so they can push corporate boards and CEOs of publicly=traded telecommunications, utilities, and financial services to be more transparent about their cybersecurity investment and preparation.
3. Increase R&D and cybersecurity education funding. Public investment in cybersecurity is woeful at best. We need the Feds to take the lead on this like DARPA did with the Internet. Aside from the technology however, one of the biggest risks we face is the lack of qualified cybersecurity professionals available. With close to 8% unemployment, this is a real shame. We need private/public for basic and advanced cybersecurity education and training to produce thousands of qualified professionals as soon as possible.
None of these directly addresses our cybersecurity vulnerabilities but the more data we have and the more people who understand how poorly we are prepared, the more likely we are to finally do something about it.
A successful cyber attack on the U.S. could act as a wake-up call and serve as the cybersecurity equivalent of Sputnik. Given the 14 years of cyber-Pearl Harbor warnings we’ve had, shame on us if we wait for this to happen.