Former CIA Officer: U.S. Lags Far Behind in Cyber Security

The CIA's former head of information security worries about America's future.

Assistant Secretary of Defense Paul Stockton testifies before the Energy and Power Subcommittee of the House Energy and Commerce Committee, May 31, 2011. The hearing was to examine the protection of the nation's electric grid from physical and cybersecurity threats.
By SHARE

There is little hope for the U.S. patching up gaping holes in its cyber security defenses, says a former CIA employee tasked with guarding the agency's information.

The Obama administration and Congress have failed at producing lasting legislation that can protect the U.S. from cyber attacks, due in large part to hesitation over regulating businesses, says Robert Bigman, the former chief information security officer at CIA. The Cyber Security Act of 2012 would do little more than make the Department of Homeland Security a "cheerleader for good security practices," he says.

Just as car companies shirked the idea of mandatory airbags, and tobacco companies heavily resisted packaging their product with notifications about cancer, businesses that could be subjected to large-scale online attacks must be goaded into complying with new safety standards, Bigman said while speaking at a breakfast meeting on Monday.

[DEBATE: Should Congress Pass CISPA?]

"I'm not an optimist. I don't see anything happening soon," he says. "[Americans] don't feel it, it's not been personalized yet. That's the problem."

Bigman, now an information security consultant, has himself accidentally stumbled into the networks of electricity vendors while performing "white hat tests" — a term for probes that help an organization shore up gaps in its digital security. The most worrying threats come from Russian cyber criminal gangs — whose global networks extend to American cities like Kansas City and Seattle — and state-sponsored Chinese hackers, he says.

Cyber attacks on federal agencies increased 650 percent from 2006 to 2011, according to a Government Accountability Office report.

Bigman believes the U.S. government should emulate countries such as Israel, which has sweeping cyber security oversight at the local, state, and national level around the clock. Managers at each level of this system have the authority to act swiftly when facing a cyber threat.

[READ: The Science of Cyber Security]

"They don't have to ask up the chain to turn things off," says Bigman. "They can do it immediately."

Israel, along with Singapore, Sweden and Brazil, have a method under a national structure of identifying and categorizing threats and delegating who is responsible.

"The response is almost automatic," he says. "[The U.S.] is far, far away from that."

"Right now we're stuck in this unknown area," Bigman says of the debate over whether government agencies should suggest regulations for businesses to prevent cyber attacks. "By the way, that's exactly where the cyber criminals want us to be. They're very happy with our current situation."

More Science News:

Paul D. Shinkman is a national security reporter for U.S. News & World Report. You can follow him on Twitter or reach him at pshinkman@usnews.com.