A massive cyber attack on American infrastructure is the 21st-century equivalent of the neutron bomb. All buildings remain standing but systems inside them are rendered useless. Human beings aren't killed on a large scale, but few, if any, are left standing either. And while this sounds pretty dire, it's quite likely some segment of this nation will at some time be shut down by cyber terrorists.
Late last month Janet Napolitano, Obama's homeland security chief, made some startling statements at a live event on cyber security sponsored by the Washington Post. For example, she said that hackers have "come close" more than once—maybe several times, or maybe many times—to compromising critical segments of America's infrastructure. In particular, she mentioned that big banks and transportation systems were popular targets for cyber attackers. When she was asked how many cyber attacks might have occurred during her 45 minute conversation, Napolitano replied, "Thousands." And if that weren't enough by itself, her most ominous remark was delivered in almost desultory terms: "I think we all have to be concerned about a network intrusion that shuts down part of the nation's infrastructure in such a fashion that it results in a loss of life."
It goes without saying that if an attack successfully shut down essential services, people would die unnecessarily. Curiously, Secretary Napolitano's remarks didn't attract a great deal of attention because it wasn't news like it used to be. Large-scale data breaches or security hacks themselves are reported, but not highlighted as much, because they happen so frequently. It's similar to the criticism that the media sometimes considers shootings in "bad" neighborhoods as common occurrences and no longer really treats them as newsworthy. As a result, the near-apocalyptic observations about a hidden part of America (the binary bits of the cyber highway) by a cabinet level officer also seemed to go unnoticed, drowned in a sea of news about gridlock in Washington, collapsing governments in Europe, and the brain blips of certain presidential candidates.
By this time we all know that most major institutions of government and industry have been hacked in some way, shape or form. Millions of people were compromised when Sony, Citibank, the Department of Veterans Affairs, contractors for the Department of Defense and others were successfully breached.
At least we heard about those.
A couple of days ago, Virginia Commonwealth University disclosed that a server containing files with the personal data, including Social Security numbers, of 176,567 current and former students, faculty, staff and affiliates had been compromised. From what I can tell, this breach wasn't reported anywhere except in local media and some security and tech websites. So I guess we're not likely to hear much about breaches of this type as time goes on, because they've become the equivalent of "white noise." But especially after hearing Ms. Napolitano's comments, perhaps we don't hear about other cyber attacks—hopefully far less common—which are directed at hurting all of us instead of just some of us, for very different reasons.
The government has tacitly acknowledged that the war is on, which can be deduced more from actions than from words. The Department of Homeland Security is hiring 1,000 cyber security specialists, and the always covert NSA is looking to hire 3,000. At DEFCON, the Las Vegas convention of hackers held last August, representatives of Homeland Security, NASA, the NSA, and the CIA were among the 10,000 attendees. For the agencies, it was a massive job fair, presuming that one could distinguish the white hats from the black hats during the interview process.
If you've ever read a copy of The 9/11 Report, you know that interagency cooperation is not necessarily a foregone conclusion. Indeed, there was some credible speculation that the 9/11 plot might have been uncovered and thwarted had the alphabet agencies been amiable instead of antagonistic. So while maybe it's a good thing that everybody's trying to hire people to fight the bad guys, two questions remain: why are they scrambling to staff up now, rather than a couple of years ago when the problem was already obvious (do they know something we don't?); and what makes anybody think all of these government agencies that at some level compete with one another can work together as a team, or better yet, as an army?
In the good old days, Ronald Reagan defeated the Evil Empire (aka the Soviets) by outspending them. The thinking was simple—America would keep building more armies and more armaments against an enemy that simply could not keep up financially. It worked, didn't it? And although those old Cold War enemies, China and Russia, are the most often-named potential thieves of American PII (that's personally identifiable information), fighting hackers is much more like a land war in Asia than anything else. The enemy doesn't follow any rules, doesn't wear uniforms, can be very hard to identify or even see, and may or may not be associated with an actual nation-state. As you and hopefully some officials in Washington may recall, fighting land wars in Asia just isn't our thing.
The U.S. government needs to be certain that our response to this genuine and massive threat is not as bureaucratic and fractious as everything else that goes on in Washington these days. We can't just spend our way out of this since the bad guys have as much, if not more, money, sophistication and sophisticated technology than we do. We need an organized and centralized cyber-army. We need a population sufficiently informed of the risks so that "if we see something, we say something" and we do something. And, most of all, we must acknowledge that of all of the potential catastrophes faced by this nation in the 21st-century, a cyber attack from a dedicated enemy—be they a terrorist group, a competing nation-state, or just a bunch of crazies along the lines of the villains in the titles of James Bond novels—is the one to whom we are most vulnerable.
Adam Levin is Chairman and cofounder of Credit.com and Identity Theft 911. His experience as former director of the New Jersey Division of Consumer Affairs gives him unique insight into consumer privacy, legislation and financial advocacy. He is a nationally recognized expert on identity theft and credit.