Last Thursday night, before a group of high-credentialed representatives from the public and private sector, including decorated service members and CEOs of Fortunate 500 companies, Secretary of Defense Leon Panetta delivered a hard-hitting, wake-up call speech on the state of cyber security in this country. The composition of the audience, the host organization, and the location were not a coincidence. He knows the people who need to hear his message: business leaders whose companies comprise industries and influence the economic state of our country and government officials. The host of the event was Business Executives for National Security (BENS), a non-profit known to bring together the public and private sectors to reach consensus on key policy issues. The location was New York, the hub of finance, the industry that has been hit the hardest by the recent series of attacks. His message was clear: we have been warned; the cyber threat is serious and we must take action to secure our critical infrastructure against it.
I served in the US Senate during and after 9/11 and was part of the team that drafted the legislation to create the Department of Homeland Security. As we laid out each of the components of the Department, a primary question we asked was how could we prevent another attack, natural, man-made, physical, or cyber. What can be done to ensure this tragedy or something like it never happens again?
But there has been a shift in thinking since 9/11. While prevention will always be important, the concentration is now and should be on response, recovery, and resilience. We no longer question if attacks, disasters, crises – whatever term we choose to define damage – will occur, but when. And, when they do, how resilient are we? How quickly can we bounce back? And, in the case of cyber, we are systematically unprepared.
Secretary Panetta highlighted the recent attacks on two sectors – oil/gas and banking. Recently, US financial institutions have been hit by “distributed denial of service” attacks. While this type of attack is not new, the scale and speed of it was – it affected significantly more users at a much higher speed.
Two months ago, a computer virus called “Shamoon” attacked the Saudi Arabian oil company, ARAMCO (and the Qatar energy company, Ras Gas, a few days later). What was alarming about this attack was that the virus took data and intellectual property and destroyed the 30,000 computers it infected. Secretary Panetta said the Shamoon virus was “probably the most destructive attack the private sector has seen to date.”
Two salient points about the cyber threat can be drawn from these attacks. The first is that they were extremely well-coordinated and well-planned, leading us to believe an entity greater than the hackers – a nation-state – was behind it. And, all signs point toward Iran. The second critical point is that we are seeing a rapid and threatening evolution of the cyber threat. By anyone’s definition, we’re in the big leagues now.
How do we combat this growing threat? We must focus on making our systems, companies, and industries more resilient. Not enough companies understand the threat of cyber attacks and not enough companies are investing in cyber security and creating resilient infrastructure. A well-orchestrated attack could take down a company or an industry without warning.
But, we have been warned. We know the threat – ignorance is not an excuse – and the government cannot fight it alone. Government and the private sector must work together. We must promote information sharing among the sectors and develop baseline standards to protect our most critical infrastructure and ensure its resiliency against basic and sophisticated attacks. By creating resilient infrastructure, we are protecting ourselves against all-hazards, not just the ones that make the headlines.
The debate on this issue has been adversarial – and that must change. Government and the private sector must coordinate their knowledge and resources. The way to ensure security is by creating standards through legislation. Every attempt at voluntary coordination has fallen apart.
Panetta called this a pre-9/11 moment. We have been warned; we are experiencing a series of cyber attacks that continue to escalate in severity. The financial impact of a cyber attack could have consequences that far exceed our 9/11 experience. Our nation’s economic and national security depend on cyber space in ways it didn’t a decade ago – yet, we fail to take steps to harden our infrastructure.
We need to take this threat seriously. It’s time to pull ourselves out of the paralysis of debate and take action. We must pass the legislation that will create standards for public/private collaboration to build a resilient national infrastructure that will keep our country secure. Anything less will fail.
