It has been five years since hijackers slammed jetliners into the World Trade Center and the Pentagon, killing nearly 3,000 people, but nine out of 10 information security professionals believe federal government agencies are unprepared should the terrorist attacks turn to cyberspace.
According to a poll conducted by vulnerability and risk management provider nCircle of 395 IT executives, 85 percent believe federal government is not ready for a cyber version of Sept. 11, 2001.
"I would fully agree with that," said Paul Kurtz, executive director of the Cyber Security Industry Alliance. "We have no leadership at DHS (U.S. Department of Homeland Security) right now. We do not have a clear path for the roles and responsibilities, legal issues and policy issues that would surface during such a crisis."
Earlier this year, during the Federal Information Security Management Act (FISMA) grading of network security postures, 24 federal agencies received an average of D+, with seven agencies outright failing.
While some argue the grades focus more on compliance and less on best security practices, they are telling, experts say. President Bush's 2003 adoption of The National Strategy to Secure Cyberspace was a positive step, but since then "we've been running in place," said Kurtz.
He said the main obstacle is a lack of leadership. Officials are awaiting the appointment of a new director of the DHS's National Cyber Security Division – a position vacant since Amit Yoran resigned from the post of cyberczar in 2004.
Another impediment is the lack of understanding of the effects of a massive cyberattack, Kurtz said. Lawmakers and other Americans now can grasp fiery building collapses and innocent deaths, but they are unfamiliar with what can result from an act of cyberterrorism.
"There's an understandable focus on the physical infrastructure," Kurtz said. "It's visible. It's tangible. When it comes to the logical infrastructure, it's more difficult for people to get their head and their hands around it."
Meanwhile, the nCircle poll revealed that 86 percent of respondents believe their own organizations are prepared for cyberterrorism. But nCircle CEO Abe Kleinfeld said he is not sold, preaching the need for a risk scoring system to be developed for the private sector.
"Organizations will tout their own readiness to defend against cyberterrorists – even when the enterprise is vulnerable," he said. "The commercial sector can claim what it wants, but…all there is are anecdotes and guesswork."
Click here to email reporter Dan Kaplan.