June 30, 2010Are We Ready for a Cyber-Pearl Harbor?
James Carafano, PhDSomebody in the Pentagon had an idea.
"Let's take down the Internet."
In 1997, the Department of Defense led an exercise called Eligible Receiver. A team of cyber-experts was given three months to plan and execute an attack on unclassified computer systems using commonly available hardware and software. The red team came from a not-to-be-named shadowy agency -- but we know it was the National Security Agency.
The cyber-Jedi claimed if they actually conducted an attack, they could have brought down defense command and control systems, as well as major portions of the national electric power grid, and 911 systems. It could come crashing down in some massive digital Pearl Harbor.
Some doubted these claims. The department did not provide public reports that could be used to verify them, but it was clear they were stunned by the results.
Pentagon spokesman Kenneth H. Bacon told reporters, "We have a lot of work to do to provide better security. We're not alone in this regard. Most businesses, many private institutions, many individuals have a lot of work to do in improving their ability to protect their computers and computer systems."
Fast-forward to the present. It's over a decade later. No one in the Pentagon would argue that the nation is any less vulnerable.
Congress is trying to do something about it, writing comprehensive cybersecurity legislation. It's still trying to decide if that is good news or bad news.
The latest effort is a bill drafted Sens. Joseph Lieberman, I-Conn., Thomas Carper, D-Del., and Susan Collins, R-Maine. Like most draft legislation that tries to tackle a complex, complicated, controversial problem, the answers it provides are a bit of the good, the bad and the ugly.
Good: The bill includes some clear guidance and requirement on incident reporting. The best weapon online is knowing what is going on online. Private enterprises like Wikipedia and Google do extensive Internet monitoring. Incident reporting, however, is no complete silver bullet.
When Michael Jackson died, Google experienced a dramatic surge in searches for the King of Pop's name. Initially, this it was believed to be a denial-of-service attack by hackers. Wikipedia shut down its "Michael Jackson" page for six hours (after confirming he really was dead) when hundreds of people tried to edit it at the same time.
Lesson learned, cyber-situational awareness is an imperfect science. Still, improving Washington's awareness of what is going on in the cyberverse makes sense.
Bad: The bill includes the typical congressional response that no matter what the problem is, growing and reorganizing government is the answer. In most cases, cybersecurity included, Congress misses the mark.
What we really need to do is build better cyber-strategic leaders in government and network them together, a 21st-century solution to a 21st-century problem.
Ugly: The bill grants the president dictatorial control over cyber-systems in emergency situations. That's ugly because Washington would be clueless on how to wield this authority effectively; and because there would always be concern that the president might abuse this power. It might not make much a difference in any case, though, since the Internet is a global commodity.
Congress is, at least, making a serious effort at dealing with cybersecurity. Lawmakers need to keep working till they get it right. We will have to live with the consequences of the law for a very long time. And we deserve a cure that isn't worse than the disease.