Following the Sept. 11, 2001, terrorist attacks, many physical security systems in the United States underwent radical change. But what of our constantly growing online systems? Each new hacking attack and government revelation seems to indicate that national online defenses are weaker than ever.
So how much of a problem is the current state of national cybersecurity, and what can government agencies do to improve it beyond spying on other countries — and on U.S. citizens?
"How real is the threat? One needs to look no further than the latest headlines to know that this is not a theoretical concern," said Michael Sutton, vice president of security research at Sunnyvale, Calif.-based security firm Zscaler.
Several remarkable revelations accompanied this past summer's release of the U.S. Department of Defense's long-awaited Strategy for Operating in Cyberspace. According to Deputy Secretary of Defense William J. Lynn III, an unnamed foreign spy agency broke into a corporate defense contractor's system in March and managed, in a single hack attack, to make off with approximately 24,000 Pentagon files.
While neither the contractor nor the content of the files was disclosed, Lynn went on record to admit that other critical files had been stolen in the past, including details about U.S. fighter jets, missile systems and unmanned drones. (Top defense contractor Lockheed Martin said in May that it had been a victim of a sophisticated cyberattack.)
How could such stolen information be used against the United States?
"The next Pearl Harbor we confront could very well be a cyberattack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems," said Secretary of Defense Leon Panetta during his June confirmation hearings in front of the Senate Armed Services Committee.
There's already some precedent that's cause for concern. During the Aug. 14, 2003, blackout in the eastern U.S. and Canada, the then-rampant Blaster computer worm was said to have contributed to the severity of the power outage by crippling utility companies' computers, according to a 2004 congressional report on potential cyberterrorism.
The report also noted that during the same year, another computer worm penetrated the control-room systems of the Davis-Besse nuclear power plant in Carroll Township, Ohio. Fortunately, the plant was shut down at the time.
Experts say that these and other online threats to American infrastructure and lives exist because of three areas of vulnerability: outside government contractors (such as in the March defense-related break-in case), foreign governments (friendly or otherwise) and the software systems themselves.
By necessity, the government must work with outside companies to get the latest technology and to further develop systems. And those companies aren't only defense contractors like Lockheed. Even Google reportedly supplies special search-and-mapping software to the U.S. intelligence community. But Google itself has been among the victims of serious hacking attacks that laid bare information and systems of dozens of major U.S. corporations.
While the attackers are rarely conclusively identified, many security experts point out that foreign governments are engaged in cloak-and-dagger digital maneuvers.
The Chinese air force has a division whose goal is to use cyberattacks to wreak havoc with command-and-control systems in other countries, according to Tom Patterson, chief security officer for security device manufacturer MagTek Inc. in Seal Beach, Calif.
Other governments, including our own, have similar departments. In an online fact sheet, the U.S. Cyber Command states that its mandate is to "direct the operations and defense of specified Department of Defense information networks and prepare to, and when directed, conduct full-spectrum military cyberspace operations."
Of course, the principal vulnerability in planning and executing such cyberwarfare is the software. According to a DoD release, more than 60,000 new malicious software programs or variations "threatening our security, our economy and our citizens" are identified every day.
Some experts — and some congressional reports — suggest that the government's reliance on commercial off-the-shelf (COTS) software makes its systems more vulnerable. It gives hackers a known target at which to direct their efforts, and cybercriminals often trade information on weaknesses in popular COTS programs.
Custom-built software and systems can provide better security, some experts claim, because the details about how such systems work are not well known, and attackers don't have the necessary access to identify vulnerabilities.
Zscaler's Sutton disagrees. He pointed out that COTS programs undergo more security checks and fixes, making such programs inherently more secure.
"For my money, I'd rather implement a system secured via peer review, as opposed to security through obscurity," Sutton said.
Tracking down the enemy
There is still much discussion about what strategy should be adopted to protect American online resources. Gen. James E. Cartwright, vice chairman of the Joint Chiefs of Staff, told reporters in July that the military should adopt a strategy that essentially boils down to the idea that the best defense is a good offense.
Cartwright said that most digital resources are currently focused on building better firewalls, rather than on deterring hackers from attacking in the first place. Some listeners took Cartwright's comments as a suggestion that U.S. agencies should engage in digital counterattacks.
However, identifying the enemy in cyberspace can be difficult at best. Most attackers use anonymizing Web services based in countries such as Thailand and Russia, and often take control of computers in still more countries to coordinate their activities.
Given the lack of official international cybercooperation, getting several foreign governments to coordinate a search before the attackers disappear can be next to impossible. There's also the unresolved question of whether the U.S. government's cybersecurity personnel should step in when private American companies are attacked.
The result is a murky picture when assessing online safety and security.
"Overall, we are less secure than we were 10 years ago," Sutton said.
"The decreased security has little to do with technology," he added. "The human element is the weak link today, just as it always has been, and in a world where the majority of data is stored digitally, it is only a matter of time before human error leads to data leakage."