The U.S. government needs to take action now to avoid crippling cyberattacks that could shut down major communications systems nationwide, a group of cybersecurity experts told U.S. lawmakers Wednesday.
"We are a nation unprepared to properly defend ourselves and recover from a strategic cyberattack," said O. Sami Saydjari, president of Professionals for Cyber Defense and CEO of Cyber Defense Agency LLC, speaking before the U.S. House of Representatives Subcommittee on Emerging Threats, Cybersecurity and Science and Technology. "Inaction isn't an option."
Saydjari and other experts urged the U.S. Congress to take several steps to improve the nation's cybersecurity, work that could be begun with an investment of US$500 million.
The U.S. has been lucky so far to avoid a major attack, added Daniel Geer Jr., principal owner of Geer Risk Services LLC. "I don't think we can go much farther and say that, 'I didn't know it had a flaw,' is any kind of defense," he said. "Software licenses, to the last one of them, have that built into them."
Geer recommended that the government develop better security metrics and recruit and train cybersecurity experts.
The U.S has had some near-misses, he said. In September 2001, a week after the 9/11 attacks, hackers could have used the Nimda worm to shut down the 911 emergency dialing system in the U.S., causing major public panic, he said.
"The nation's cybersecurity challenges are profound and not easily addressed," Geer said. "Wishful thinking, whether explicit or implicit, intentional or delusional, will allow the problem to get bigger."
Not all witnesses agreed with Geer and Saydjari that a crippling attack was possible. While attackers could knock out pieces of communications networks, the possibility of a widespread outage may be overstated, said James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies.
It's difficult to knock out the communications systems in even small countries, he said. "A very big country turns out to be hard to derail," Lewis added.
Still, Lewis acknowledged that the U.S. has cybersecurity problems, particularly defending against espionage. "Cybersecurity is at this time primarily a spy story," he said. "Foreign intelligence agencies must weep with joy when they contemplate U.S. government networks."
The U.S. government has placed sensitive data on unsecured networks, Lewis said, repeating criticisms from a cybersecurity hearing before the committee last week. "The last 20 years have seen an unparalleled looting of U.S. government databases," he added.
A small group of hackers couldn't pull off a major cyberattack, Saydjari said. But an organization with three years to plan and $500 million to spend could make it happen, he said. Many nations and major terrorist organizations have those resources, he added.
Last week's hearing on cyberattacks at the U.S. departments of Commerce and State was "eye-opening," said Representative James Langevin, a Rhode Island Democrat and subcommittee chairman. "We learned that our federal systems and privately owned critical infrastructure are all extremely vulnerable to hacking," he said. "We learned that the federal government has little situational awareness of what is going on inside our systems."