The September 11 attacks on the World Trade Center illustrate that in a free market economy, attacks against privately owned facilities can be even more damaging than those against government targets such as the Pentagon.
The same is true with respect to electronic warfare, which reveals a critical weakness in the world's defenses against terrorism. While policymakers and the media have focused some attention on protecting government agency computers against attack, this has not been the case with respect to commercial computers and networks.
Yet it is private business that collectively provides the foundation for commerce in our society and the infrastructure for many of the day-to-day activities of our citizens. While technology has made our economy more efficient and has provided new opportunities for our people, our reliance on it has also made almost every American, directly or indirectly, vulnerable to the effects of cyber-terrorism. The same can be said of most other developed countries.
Cyber-defenses to foreign attack have long been neglected, even though the threat to the government sector as well as critical infrastructure has been well known. In testimony discussing government computer systems before a U.S. House of Representatives hearing last fall, the U.S. General Accounting Office(GAO), stated, "Federal computer systems have significant pervasive weaknesses that continue to put critical operations and assets at risk."
The vulnerability is much higher in the business world, where companies' security efforts, where they exist, have been focused on detecting or stopping internal misconduct, individual hackers or criminals. Despite these existing security measures, we have already seen the effects of hackers or those who wish to conduct electronic vandalism. A determined attack by an organized group or foreign nation with the objective of maximum destruction presents greater and more sophisticated problems than hackers at home.
The highest visibility target in the private sector is so-called critical infrastructure, such as power grids and telephone networks. The GAO found in its report that, government outreach efforts to the private sector "have raised awareness and prompted information sharing. However, efforts to perform substantive analyses of sector-wide and cross-sector interdependencies and related vulnerabilities have been limited." Thus, while we have raised awareness, we not even reached the analysis stage, let alone reaching the point of taking action to solve the problem.
Compounding our vulnerability is that there has been almost relatively little attention at senior levels of the government, and no coordinated or systematic action, with respect to the vast array of businesses which do not fall into the category of critical infrastructure, but which affect every aspect of our lives and commerce.
In addressing this issue it is important that under the laudable goal of fighting terrorism we do not create a new set of problems by having the government impose a new regulatory regime under the guise of protecting security. This could stall development of new technologies and create a web of paperwork and red tape that would stifle innovation and raise costs for all of us.
The most effective approach will be to enhance information sharing between the public and private sectors. One example of how this can be accomplished is through exempting such security-related information that the private sector provides to the government from mandatory disclosure laws like the U.S. Freedom of Information Act. If companies know that security-related information they provide to the government will be kept confidential rather than disclosed to hackers, terrorists or competitors they will be more likely to share it. There are currently bills pending before the U.S. Congress to address this issue.
Additionally, governments worldwide should increase their funding of research and development on cyber-security related technology. This research should be focused on technology for which there is not commercial basis for private companies to develop, but which is nevertheless important for national security reasons and thus properly within the realm of government action in a free market economy.
Another step would be to increase the level of attention to the possibility of computer related attacks within the government. President Bush took an important step in this regard for the United States by creating a new office of cyber-security in the Office of Homeland Security, but the U.S. and the rest of the world need to do much more. Given the global nature of the Internet, coordination among governments and companies on a worldwide basis is another important step in promoting cyber-security.
The key is to swiftly take concrete steps today to protect ourselves tomorrow. If we do not, we may learn the lesson on the need to increase our efforts to address the well known problems in cyber-security the same way we did with respect to the then well known problems with aircraft security.
Edward Hearst is a Silicon Valley based e-business consultant and a former vice president at business-to-business software company Commerce One. He is also a former senior counsel on the U.S. House of Representatives Energy and Commerce Committee, where his responsibilities included cyber-security issues. He may be contacted at [email protected].