Why the Government's Ability to Protect Against Online Attacks Is Limited

When Sen. Bill Nelson asked who was responsible for hacking into one of the computers in his Capitol Hill office several times in February and March, government investigators responded that the attack originated in China. But when the Florida Democrat quizzed the head of U.S. Strategic Command during a hearing on cybersecurity about who was responsible for protecting his computer from foreign threats, there wasn't a simple answer.

Indeed, there are dozens of governmental and private organizations that have a hand in shielding the nation's computers from threats, including software makers like Microsoft, the supersecret National Security Agency, the Department of Homeland Security, and ad hoc groups of computer security experts like the Conficker Working Group. The Obama administration wrapped up a 60-day review last week to decide who should be formally in charge of government cybersecurity. It has yet to announce the results, but the White House is eager to centralize and consolidate the government's disparate efforts under a cybersecurity czar, who would have the authority to coordinate and standardize federal efforts. A draft Senate bill would create the czar position and greatly expand the government's authority over online infrastructure deemed critical.

But there is also an uncomfortable and growing appreciation for the limits on what the government can do, because computer security ultimately relies on the personal computing habits of millions of computer users around the world. Hackers, for example, often exploit computers with outdated or no antivirus software to carry out their attacks. Nelson's staff isn't sure how their computers were attacked. In one incident, the hacker trolled around for an hour or two before being detected. But as a precaution, the office has instituted new rules about visiting certain websites.

The threat is serious. Beyond the risk of compromised government computers, there are other serious national security concerns. Earlier this month, reports emerged that Chinese and Russian hackers had infiltrated America's electric grid, sparking fears that online attackers could take down power plants. Yet a recent survey of power producers around the country found that 70 percent of power-generating companies don't recognize their equipment as critical cyberassets that require protection, leaving the grid vulnerable to coordinated attacks.

Despite years of reports warning about these kinds of threats, the solutions routinely get hung up on basic issues: the quickly evolving technology, the public and private nature of the computing infrastructure, and the conflicting demands of preserving both security and privacy. "With so many reports and warnings on the one hand and so few people actually feeling the pain of cybercrime on the other, there is a danger of crying wolf," says computer security expert Jim Gerretson.

The vulnerabilities in the power grid and home computers are remarkably alike. All computer networks, from government to civilian, are built with similar components and software, and hackers target them both. That means that the problems and solutions are also the same, experts say. A recent report by the Government Accountability Office confirmed that government networks suffer from some of the same vulnerabilities as corporate and home computers—users are careless, networks are badly managed, software updates aren't installed, and access is not properly controlled.

Home computers without protective measures are putting more than their own information at risk. Organized cyberbrigands frequently take over unsecured computers unbeknown to users to launch coordinated attacks untraceably. But in a recent survey, 10 percent of all PC users said they don't use antivirus software, and more lack proper firewalls. Some 60 percent lacked even rudimentary privacy software to limit exposure to hacking.

Partly because of these vulnerabilities, the FBI says cybersecurity is now its No. 3 priority, after counterterrorism and counterintelligence. Online crimes can range from simple identity theft to a full-scale attack on a financial firm's computer network. But even routine fraudulent Internet transactions of various types are up; they rose by a third from 2007 to a total of $265 million last year, according to the FBI's Internet Crime Complaint Center. Credit some of that to a slumping economy, says the security firm McAfee, because people are more prone than usual to take the bait in online get-rich-quick scams.

The government's ability to change online behavior has limits. Congress passed legislation to limit spam, but it has done little to reduce the volume of junk mail clogging inboxes. "The wheels of government spin far more slowly than the wheels of technology, and by passing legislation quickly, government can hurt as much as they help," says Richard Wang, a security expert with SophosLabs.

Rather than address a particular vulnerability, some say, the government should try to create partnerships to deal with new threats. "If the government has any clever ideas to solve its cybersecurity problems, certainly a lot of us could benefit from those solutions. If it has an idea for improving network security, it should tell everyone," Bruce Schneier, a veteran cryptographer, wrote recently on his influential security blog.

The Pentagon will soon create its own Cyber Command to coordinate both offensive and defensive efforts online, according to reports in the Wall Street Journal. That announcement comes on the heels of a revelation that hackers—likely based in China—stole large amounts of engineering data about the $300 billion Joint Strike Fighter project. Defense Department personnel meanwhile, were recently banned from using portable flash drives on military computer networks during the outbreak of a particularly difficult to detect computer worm. In total, the Pentagon spent more than $100 million in the past six months responding to various cyberattacks, officials revealed earlier this month. One such attack, also believed to be the work of Chinese hackers, infected nearly 75 percent of the computers at the largest military base in Afghanistan.

Meanwhile, the mysterious Conficker worm continues to challenge civilian security experts, who can't enforce drastic measures like banning flash drives. Instead, a public-information campaign warned users about the threat, and a group of experts formed a working group to provide free diagnostic advice. But the worm is still infecting computers worldwide and, in a particularly insidious twist, is tricking some infected machines into installing fraudulent antivirus software.

Experts say that large-scale information campaigns to encourage better computer hygiene could be one important step. The government could also use its purchasing power to pressure software makers to meet higher safety standards. That could help solve common problems for both government and private users. The cyberexperts draw an analogy to measures used to limit highway fatalities 50 years ago. The government can mandate car safety devices and enforce the laws of the road. But it's up to the individual drivers to ensure they have working brakes, drive safely, and buckle up.