No wonder former secretary of defense Leon Panetta warned publicly that the U.S. could soon face a mass disruption, an event of catastrophic proportion, what he named a "cyber-Pearl Harbor," that could wreak havoc on the elaborate computer networks daily life in America depends on – one that could be created in the blink of an eye from remote locations overseas.
A concerted assault on U.S. networks of information, power generation, water, air traffic control and GPS systems could produce panic and chaos. The U.S. intelligence community's annual review puts cyberattacks by foreigners on our critical infrastructure at the forefront of a list of threats that includes terrorism, global crime networks, and the proliferation of weapons of mass destruction.
Why, then, is the Senate holding up the Cyber Intelligence Sharing and Protection Act (CISPA)? It creates a database for known threats from cyberspace so that industry and government would be able to identify and record the viruses, malware and dirty tricks evolving all the time. Promoted by House Intelligence Committee Chairman Mike Rogers, R-Mich., and the ranking member C.A. Dutch Ruppersberger, D-Md., it was passed by the House with a huge majority. But it is still being held up by the Senate.
The blocking seems to lie in the fear that the government might use CISPA to pry into your personal affairs. As attorney Brian Finch wrote this week in Roll Call, "depriving the government of the ability to share that information is tantamount to telling the FBI that it can publish a '10 Most Wanted' list, but only if no names or descriptors are used." We all want our personal secrets held inviolate, but CISPA is not a real threat. Cyberwarfare is.
President Obama summed it up in the State of the Union address: "Our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems; we cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
China claims it is a victim, too. The Chinese Foreign Ministry has declared itself "firmly against any forms of cyberattacks." But this week, in justifiably strong language, the Pentagon directly accused China's government and military of carrying out numerous attempts to infiltrate our defense industrial base. The report underlines that the private sector is targeted through means that are less questionable but nonetheless indicate the level of intrusion: "China continues to leverage foreign investments, commercial joint ventures, academic exchanges, the experience of repatriated Chinese students and researchers, and state sponsored industrial and technical espionage to increase the level of technologies and expertise available to support military research, development and acquisition."
To date we have yet to establish security standards to prevent large-scale cyberattacks on the nation's critical infrastructure. This, despite the awareness of the extent to which our most critical cybersystems have been infiltrated. Our cyberdefenses are "woefully lacking," according to our national intelligence directors. "We are no nearer to dealing comprehensively with the issues presented by the danger of unauthorized entry into, and use of, our computer systems than we were a decade ago," former attorney general Michael Mukasey has said.
What we need is an intense, comprehensive and continuing effort to keep us safe from cyberattacks. Technology companies and individuals should be encouraged to bid for software to destroy, deny, degrade, disrupt, correct or usurp an adversary's attempt to use cyberspace for an advantage and to launch superfast computer counterattacks. The National Security Agency must take the lead in such a process.
We have a White House cyber-tsar to develop a national strategy. But too little of substance has been done to date. We are going to have to consider what students are accepted at the world's top five computer science schools, all of which are in America, for we must educate and retain our talent. We will also have to review the kinds of investment made in U.S. companies where technology will be shared including through joint venture and minority investment, as well as outright purchases of U.S. businesses. We are going to have to find a way to share threat information, to make it easier for critical infrastructure companies to share information with the government when they are attacked, and also to help them recover from attack. When it comes to intellectual property, we are not just dealing with state actors having a specific agenda. Somebody described it as a group of 18-wheelers backing up on K Street, accumulating all that confidential information, and sending it to China.