U.S. Secretary of Homeland Security Janet Napolitano said Friday she believes a "cyber 9/11" could happen "imminently." A coordinated terrorist cyberattack could effectively shut down the country, she says, and more needs to be done to prepare.
"We shouldn't wait until there is a 9/11 in the cyber world," Napolitano told Reuters news service, referring to the massive terrorist attacks against the U.S. on September 11, 2001. "There are things we can and should be doing right now that, if not prevent, would mitigate the extent of damage."
The Real Risk
Chris Petersen, chief technology officer of LogRhythm, a log management and SIEM 2.0 provider, said in reaction to Napolitano's comments that it's unfortunate President Obama needs to consider signing an executive order on cyber security.
"Ideally, Congress would recognize and act on the threat we face as a nation when it comes to defending ourselves against cyber war and cyber terrorism. These threats are real and will only increase in the years to come -- drastically and swiftly," Petersen said. "If signing an executive order does nothing other than help move cyber security spending up the stack of 2013 IT budgets, it will be a win for us all."
As Petersen sees it, there are real and valid concerns when it comes to cyber security legislation, a main concern being additional compliance burdens on U.S. companies. While concerns are understandable, he said, the reality is that without a measuring stick, companies won't know if they have gone far enough in protecting themselves. Without enforcement, some companies will just kick the can down the road and hope for the best.
"We appreciate that there are valid concerns and criticisms that will be disclosed through discussion. However, there is real risk in delaying action as we wait years for all opinions and concerns to be aired," Petersen said. "We need immediate action with continued refinement in years to come. For example, this refinement could be an industry taking a self-regulating approach similar to NERC-CIP in the energy sector or PCI in retail."
A Troubling Concept
Amrit Williams, CTO of Lancope, said, given the events of 9/11 it would seem logical that under a massive sustained attack on our critical infrastructure and our digital assets -- both public and private -- it would be warranted for the administration to do whatever would be required to regain control and eliminate the threat. Of course, he admitted, that's easier said than done.
"This is a massive logistical problem, growing even more so as technology advances and becomes adopted as part of our digital fabric. Unfortunately there will be mistakes, errors in judgment, and poorly written policies that may very well lead to significant self-inflicted damage," Williams told us.
The concept that the president, under an emergency situation, can take control of aspects of the Internet -- including non-governmental infrastructures -- is very troubling to Williams. Ultimately, he said, this provides a very real vector for attacking the entire United States in a way that would not normally be afforded to those who wish to do us harm.
"We are entering an era that will be marked by unprecedented attacks on our critical infrastructure," Williams said. "I also believe that ultimately the U.S. government needs to be accountable for ensuring that services are available and the U.S. thrives."
Significant concern comes, as Williams pointed out in conclusion, because, "the U.S. is ill-prepared to deal with mainstream malware outbreaks and unsophisticated network intrusions, let alone a highly coordinated attack that would actually justify such a response."