Cyber attacks that could cripple critical infrastructure and suck billions of dollars out of bank accounts worldwide are a clear and present danger. That’s what a panel of private sector security experts told members of Congress on Wednesday, February 8.
During a hearing before the House Committee On Energy & Commerce, , Robert Dix, Vice President for Critical Infrastructure Protection at Juniper Networks, said “The threat is real, the vulnerabilities are extensive, and the time is now.”
His testimony, along with that of executives from tech companies and internet security think tanks ,was so urgent in tone, and compelling in nature that Congresswoman Doris Matsui (D- California) called it the “most interesting and scary testimony she has ever heard”.
All of the tech experts agreed that here in the US, we are woefully unprepared to adequately protect ourselves from internet attacks that can do everything from drain bank accounts, shut down power grids, disrupt communications networks, and compromise our military defense.
But, they also agreed that there are things the that can be done to mitigate the risk. The main thing they urged, is that the government and the private sector work together to come up with good solutions to tackle what is an ever-growing problem.
Subcommittee members were told that an estimated $300 billion to $1 trillion per year is lost worldwide as a result of cyber crime, and that there has been a dramatic change in the past 18 to 24 months. Larry Clinton President and CEO of the Internet Security Alliance said attacks have become increasingly sophisticated, and are often state-supported .
Dr. James A. Lewis Director and Senior Fellow, Technology and Public Policy Program at the Center for Strategic and International Studies also spoke about state-supported cyber attacks, including ones carried out by Iran’s intelligence service. He asserted, “Iran is losing reluctance to attack our homeland”.
Lewis says a serious defense against cyber threats requires coordination between the public and private sector, as well as mandatory security regulation for critical infrastructure such as power and communications.
Dix suggests that the government conduct a massive public information campaign letting people know the severity of the problem, and urging them to protect themselves online. 80% of the exploitable vulnerabilities facing people online right now, he says, are a result of the fact that so many people use absolutely no protection–not even an antivirus program–on their computers.
For business, Clinton says, the biggest problem is not technology; it is cost. He says many businesses do not use solutions that already exist because they would be expensive to implement.
As a result, he says government needs to come up with a mix of mandatory regulations and incentives that would help business owners not only understand the necessity for better security measures, but actually be able to afford to implement them.
Those incentives could include tax breaks, insurance reform, subsidies for research and development, and “anything that helps people invest upfront in security for small to medium business”, according to Dr. Phyllis Schneck, McAfee Vice President and Chief Technical Officer Global Public Sector. Because 99% of all business in the US is small to medium sized, she says incentives to help this sector of the economy are vital.
Small business, panel members noted, is particularly vulnerable to attack. Bill Connor, President and CEO of Entrust says one of the most serious types online threats facing small business is something called a “man in the middle” attack. It is enabled by a type of malware that infects a computer browser. Because it is what he called a “cloaked” threat, and not detectable by antivirus software, it can result in the loss of enormous amounts of money through spoofed online banking transactions.
But that’s just one of many online threats that could have a devastating effect on businesses too small to be able to afford an in-house computer security team. As a result, the Federal Communications Commission (FCC) has actually come up with an online resource that can help small businesses create customized cyber security plans.
Internet Service Providers (ISP’s) could also play a key role in helping to fight our online enemies, according to Schneck. She says that because ISPs can actually detect anomalous traffic on their networks, they are in a unique position to actually stop it. However, she says they are currently barred from doing that by antiquated laws that relate to analog technology and do not address realities of today’s digital networks. She urged lawmakers to revise outdated laws to make it easier to fight an enemy which she says is right now “faster and smarter than we are.”
She says that if the government and the private sector could share more information about network traffic, it would be much easier to track down and stop those who are intent on causing us harm.
One example of such sharing and collaboration, Dix suggested, would be the creation of a cyber threat tracking and detection map that would show malware outbreaks and unusual network traffic worldwide in real time, along the lines of a national weather map. He says it could be created with combined data from the public and private sectors; and monitored 24/7 by a team dedicated to tracking and responding to cyber attacks.
Other topics covered in the hearing included threats to mobile devices, malware infected hardware manufactured in countries outside of the US, and the need for the federal government to buy from trusted suppliers–not just those who offer the lowest price.
If you’d like more details; can watch a video of the hearing on C-SPAN.