September 11, 2012

Cyber-Attacks: The Next Big Threat

Eleven years ago today, America suffered a body blow to the gut. Two airplanes slammed into the World Trade Center in New York City, resulting in the collapse of its iconic towers. Another plane crashed into the Pentagon. A fourth hijacked plane crashed in Pennsylvania, killing all aboard. Nearly 3,000 people died on that day as a direct result of the attacks.

It was a day we vowed always to remember. It was a threat we vowed never to forget. Two wars and countless lives later, the threat posed by al Qaeda has clearly diminished. The threat posed by non-state terrorist organizations is still present, but the risks of a direct attack like the one on 9/11 on American soil has been greatly reduced.

Other threats persist. In my view, the clearest and most present danger we face is a cyber-attack. Daily probes and attacks by governments and gangsters and angst-ridden do-gooders are now routine. Pretty much anyone with a little know-how and an internet connection can play in this game.

What's at stake? President Obama, in a recent op-ed piece in the Wall Street Journal, described a simulated attack against the nation's rail system and selected water treatment plants. The list could easily be expanded to include the banking and energy infrastructure, as well as hospitals. Anything that is connected to the internet is vulnerable to a cyber-attack.

You think you have problems now? Imagine if your bank went down for a few days, and your accounts were not accessible or your credit cards wouldn't work? Or some gangster in Estonia steals your credit card account information? Got a pacemaker or maybe an insulin pump? You could be vulnerable to a cyber-attack. Bet you didn't see that one coming. Let me say it again: anything connected to the internet is vulnerable.

The irony is that President Obama may have been his own worst enemy here. The ill-considered use of a computer worm to throw a monkey wrench into the machinery used in Iran's nuclear program could result in major blowback down the line. The techniques and the technology behind the Stuxnet attacks are now "in the wild," as cyber-security experts like to say. (A Google search on the phrase "stuxnet source code download" gets over 100,000 hits.) Anyone can download the code and have a go at making their own improvised computer-destructive device that can be delivered to any business or government facility that has a gap in its computer defenses. That would be just about all of them.

The nation's businesses are shockingly lax when it comes to cyber-security. That laxness is matched by a hyper-vigilance when it comes to government efforts to impose some sort of minimal standards of cyber-security. Anything that would take away from the bottom line is quickly branded as being bad for business. And there are those who worry that the threat is being exaggerated and that the cure will be worse than the disease.

There are legitimate issues any time government seeks to extend its regulatory authority into new areas. But common sense argues that certain key industries have a responsibility and a duty to take minimal and reasonable steps to bulk up their cyber-security. We can't eliminate the threat, but we can make it more difficult to launch such attacks.

The hardest thing to accept about 9/11 is that intelligence analysts had been warning for some time that such an attack was possible, although the exact nature of the threat was hard to pin down, the timing unclear. That's not to say that the attack on 9/11 could have been prevented, but the lack of such attacks in the wake of vastly improved security measures shows that an ounce of prevention is still a good bargain.

There is nothing vague about the threats posed by cyber-attacks. We know the danger is real. We know they are happening every day. We know what to do to make it harder to launch such attacks. We have the way. All we need now is the will to get the job done.

No comments:

Post a Comment