Should government or corporations command the battle for cybersecurity?
RAF MILDENHALL, England — It’s called the worst-case cyber scenario.
Someone hacks into one of America’s critical power grids, introducing a variety of malicious programming that wreaks havoc with the grid’s computer system. The system crashes and the juice stops flowing. Everything from water to food and natural gas soon becomes scarce. The economy buckles. Modern life grinds to a halt.
From the details of personal banking to the systems that run the nation’s critical infrastructure, everything is done through the vast series of interconnected computer networks that comprise cyberspace.
As a result, analysts are calling for a more robust defense of critical government and corporate computer networks. But even as the Obama administration rolls out initiatives to improve the nation’s cyber security, questions remain about what the government’s role should be.
Many power plant networks and other essential pieces of America’s infrastructure are owned, operated and protected by corporations.
Some say security of these vital networks should be the sole domain of the federal government because it is a national security concern. Critics say government monitoring of Internet usage — even for malicious programming — is a slippery slope toward Big Brother-style surveillance, and private industry can better secure their own networks.
It’s a question of freedom versus security.
"The big picture raises a big question," said Gregory Nojeim of the Center for Democracy and Technology. "If the federal government’s role is to monitor private networks ... that would be a huge problem for civil liberties."
Much of the government’s new emphasis on cyber security is still murky.
President Barack Obama declared in May that cyber security would be a national priority, creating a cybersecurity czar in the process. But it’s unclear how far that position’s authority will extend once the slot is filled.
In announcing the czar, Obama pledged the government wouldn’t monitor the Internet or mandate security standards to the private sector.
But the Cyber Security Act of 2009 — currently being debated in Congress — would give the president authority to shut down certain private networks in the event of a big attack.
U.S. government and other sensitive networks are probed and attacked daily, and it’s not always clear who is launching these assaults. The Office of the Secretary of Defense network was hacked into in 2007, resulting in the theft of an "amazing amount" of data that would be "valuable to adversaries," OSD chief information officer Dennis Clem said in a 2008 Government Executive interview.
According to the article, spoofed e-mails containing recognizable names were sent to OSD employees. When they opened the messages, user IDs and passwords that unlocked the entire network were stolen. Sensitive data was then accessed, copied and sent back to the intruder.
There are about 70,000 malicious access attempts against the OSD network each day, Clem said in the article.
The government is now figuring out what is already a constant threat for vital networks, according to James Lewis, head of the Center for Strategic and International Studies’ Cybersecurity Commission.
"We don’t know what the [Defense Department’s] role is, what the role of the government is," Lewis said. "We don’t know who our attackers are or how to respond to them."
Some government Internet surveillance programs already exist or are in development. Einstein 3 is reportedly being developed by the Department of Homeland Security and can read e-mails in addition to detecting malicious software.
Supporters of a more robust government presence in cybersecurity say privacy can be maintained in a surveillance program. Technology such as "deep-pocket inspection" can already scan Internet traffic for tell-tale signs of malicious programming without actually reading the content of people’s Web site visits, correspondences and other e-data, Lewis said.
"You can scan for the weaponized bits without understanding the message," he said.
No laws exist allowing the government to protect the cyber network of a privately operated power plant or other critical infrastructure, according to Air Force Col. John Geis, director of the Center for Strategy and Technology at the Air War College.
When Geis’ researchers interviewed senior executives about cybersecurity measures, they found that many big businesses are reluctant to invest in such costly cyberdefense systems over the long term, he said.
But any government move to provide that protection via surveillance could provoke a public protest.
"Yet at the same time if people were to hack into our national power grid and take the power grid down, and people woke up one morning and there was no electricity or water or natural gas, there would be an outcry," Geis said.
Instead of intruding on private systems, Nojeim said, the government should offer incentives to help companies purchase security upgrades, while investing in new research and sharing information.
"The private systems operators know their systems the best," he said. "There’s no evidence the government could do a better job protecting them."
The Hit ListSome of the biggest cyberattacks from the last few years:
April 2007: The Department of Commerce takes the Bureau of Industrial Security’s networks offline for several months. The bureau reviews high-tech exports, and its networks were hacked by unknown foreign intruders.June 2007: The Office of the Secretary of Defense is hacked by unknown foreign intruders. OSD officials say in 2008 that the intruders made off with an "amazing amount" of data that could be "very valuable" to adversaries.June 2008: The networks of several congressional offices are hacked by unknown foreign intruders. Some lawmakers publicly call out China and reveal that files that were hacked contained information on political dissidents.March 2009: The plans for Marine Corps 1, the new presidential helicopter, are found on a Iranian file-sharing network.July 2009: Cyberattacks against Web sites in the U.S. and South Korea, including government Web sites, were launched by unknown hackers. South Korea accused North Korea of being behind the attacks, which did not severely disrupt services but lasted for a number of days and generated a great deal of media attention.August 2009: Albert Gonzalez was indicted on charges that between 2006 and 2008, he and unidentified Russian or Ukrainian colleagues allegedly stole more than 130 million credit and debit cards by hacking into the computer systems of five major companies, the largest hacking and identity theft crime in U.S. history.Source: Center for Strategic and International Studies