Cyber attacks cost the U.S. well over a trillion dollars per year, according to some estimates, and cybersecurity experts from government and the private sector say U.S. companies need to focus more on protecting themselves.
"[Companies] are not looking at that aggregate cost to the country. They're doing an analysis of their return on investment and what is it worth to invest and protect that intellectual property," said Suzanne Spaulding, an official at the Department of Homeland Security's National Protection and Programs Directorate, which protects the nation's infrastructure, during a panel discussion at a cybersecurity conference co-hosted by U.S. News and George Washington University.
That means firms could be underestimating the economic threat hackers pose. But because government enforcement has not yet caught up to cyber attackers, says one expert, companies are growing more worried all the time.
"Imagine if Russia flew planes into U.S. airspace. What would happen? The first time it happened, our jets would scramble and escort them out, and our president would be on the phone to Moscow," said Shawn Henry, former executive assistant director of the FBI and president of the cybersecurity firm CrowdStrike Services. "Yet this happens thousands of times a day in cyberspace, and corporations are fed up with the fact that there is nothing being done."
Richard Bejtlich, chief security officer at cybersecurity firm Mandiant, offered the example of a U.S. company attempting to make a deal with a foreign firm. If that foreign firm has gained an advantage via hacking--getting the U.S. company's confidential financial information, for example--that hurts the U.S. firm and U.S. business on a broader scale.
"How do you conduct business in that sort of environment?" asked Bejtlich.
It's one thing to hear this sort of message from security firms, but one government official agrees that Washington can't be the sole defense against cyber attacks.
"Frankly, I think that government is not in a better position to do that risk management calculus than the individual company is, with regard to intellectual property theft," added DHS's Spaulding.
DHS meets regularly with CEOs to brief them on the latest cyber threats, Spaulding added. Still, she believes that government should devote more effort to securing digital infrastructure.
She argues the U.S. education system needs to train more people to work in cyber security, and government agencies will need more hiring authority to put those people to work. Of course, in the current political climate of tight budgets and government downsizing, that may be an uphill battle.
- ACLU: CISPA Is Dead (For Now)
- Rules of Engagement, Cybercrime Edition
- CISPA Supporters Spend Far More on Lobbying Than Opponents