The dialogue on cybersecurity has come a long way in the past few years. The news is awash with stories of theft of personal financial information, silent but effective espionage against our defense establishment and the potential effect of attacks against our pervasively networked critical infrastructure. However, the time for simply talking about solutions is quickly running out.
Despite numerous proposals to enact the comprehensive reforms we need, we have failed to make our laws and practices relevant to our 21st-century economy because of a missing sense of urgency and a lack of understanding of the role cybersecurity plays in our daily lives.
Too often, policymakers still view the security of our networks as a niche area that narrowly affects our society. That misleading perspective gets communicated to the public, leaving most in the dark on the extent to which their personal information, and in some cases their safety, is vulnerable.
We rely on the Internet to send personal files and sensitive government information as well as to monitor bank accounts and our electric grid. Yet security is not a priority for personal users, it is not a priority for many corporations and it is not even a priority for some in government. And it’s costing us.
A 2010 study found the average price tag of a business data breach to be $7.2 million, and the intellectual property losses are staggering, with information stolen on a daily basis by our competitors for economic and military advantage.
As top cyber expert Jim Lewis noted: “The U.S. spent $368 billion on research and development [in 2010], but cyber espionage lets others get the results for free.”
Because it’s all happening in the digital realm, there is little public outrage.
Among our critical infrastructure, we lack even simple security measures for many of the systems that control our electric grid, water and sewage plants, and financial and telecommunications systems.
Yet we know of computer viruses, such as the now-infamous Stuxnet, that could devastate parts of these industries, resulting in enormous costs, borne largely by the taxpayer.
In November, we saw confusion about security at an Illinois water plant, and an FBI official said three cities’ utilities were recently compromised. None of this should be surprising. The types of industrial systems controlling our utilities were built in a non-networked world and designed for reliability, not security.
With acquisition cycles that take decades, companies leave little budgetary or operational room for security improvements. The reluctance to make upgrades has demonstrated that private owners and operators of our critical infrastructure don’t take this threat seriously enough.
Remedies for our cybersecurity challenges are well-known. The Center for Strategic and International Studies commission that I co-chaired in 2008 to make recommendations for the incoming president spelled out many solutions, but we need the political will to make them reality.
To better protect critical infrastructure, the Department of Homeland Security and regulators must develop new public-private partnerships, relying on incentives to improve security when possible but regulation when necessary. Government can work with each industry to determine best practices and issue standards and guidance, with consequences for those that do not comply.
These relationships should be backed up with the coordination of our top cyber experts across government, including at the National Security Agency.