Daily cybersecurity intrusions are threatening America’s ability to remain the world leader in innovation, yet few are paying attention, according to co-chairman of the Congressional Cybersecurity Caucus Rep. James Langevin (D – R.I.).
“Large amounts of data are being siphoned off – stolen – on a daily basis,” said Langevin, during a panel discussion at the Brookings Institution Wednesday. “If someone was hauling off filing cabinets of information, that would be tantamount to an act of war. But because it’s happening in the digital realm, there isn’t that sense of urgency. “
But the threat of a major cyber-attack is real, as evidenced by a series of attacks on Estonian banking Web sites in 2007. The threat of a similar attack in the United States, according to Langevin, requires a new cybersecurity approach that balances tax breaks and insurance incentives with government regulations.
“Cybersecurity is a moving target. It’s an evolving threat,” said Langevin. “We are never going to be able to get to the point where we are 100 percent successful. What we need to do, basically, is to close the window of vulnerability.”
Cybersecurity refers to the measures taken to protect data stored on computers or in shared networks. As ”big data” gets bigger, the threat of a cyberattack grows.
There are three levels of cybersecurity breaches: intrusion, disruption and attack. According to Langevin, intrusion and disruption involve criminal action or espionage, and they occur almost every day. A cyber attack, on the other hand, is a more serious breach perpetrated by an individual, terrorist group or even nation-state that wants to cause damage, not just obtain information. The latter hit Estonia in April 2007. when Web sites for major Estonian government agencies and banks were crippled by a series of cyber attacks, according to Jaak Aaviksoo, Estonia’s minister of education and research and former minister of defense. Estonian officials regarded the attacks as a threat to national security.
But U.S. agencies and businesses should not wait for this type of cyber-Pearl Harbor attack to hit the U.S. before they act, Langevin said.
“The cost of inaction can be greater than acting,” he said. “Something happens on the scale of an attack on critical infrastructure, we’ll all be saying, ‘Why didn’t we move more quickly? Why didn’t we invest more wisely in protecting that?’”
Langevin said he would like to mobilize the insurance industry to provide incentives to companies that implement cyber-attack protection strategies. This “good intentions” approach would help close the window of vulnerability for many institutions, he said.
But the window of vulnerability is a moving target. Even government experts do not understand the depth of the problem, said Jim Longley, CEO of Diritech and a former House representative from Maine.
“I’m not so sure the government is keeping up with the threat,” he said. “We have a very serious problem in that respect.”
According to Mike Nelson, research associate for the Leading Edge Forum, government leaders also do not know how much it would cost to fix current cybersecurity weaknesses.
“Everyone understands that there is a huge threat here and a huge potential price tag,” said Nelson, “but they don’t know what the price tag is.”
Moreover, the current regulation governing cyber attacks is vague and does not specify what types of attacks need to be reported. As a result, many cybersecurity intrusions go unreported.
As a result, Langevin is calling for the creation of a cybersecurity director in the executive branch. Currently, Cybersecurity Coordinator Howard Schmidt does not have the authority to reach across agencies and require that they follow mandatory cybersecurity reporting, Langevin said.
According to Langevin, this would allow a better information-sharing system to take place at the internet service provider (ISP) level between institutions and the Department of Homeland Security.
“It’s not about embarrassing or punishing companies that are hacked,” he said. “It’s about sharing the damage and containing the damage for others.”
That type of transparency and declassification is critical to the long-term success of American cybersecurity, according to Nelson.
“We are losing in cybersecurity because the bad guys are better networked and more collaborative than we are,” said Nelson. “There’s a balance that we’re getting wrong, locking down too much, not being transparent about how we run our operations.”
Greater transparency will protect U.S. interests in the long run because the data system will be more secure, discouraging attackers before they strike.
“If the damage isn’t done because the systems are secure, we have a much better system than if we’re trying to chase the criminal after the database has been compromised or the intellectual property has been stolen.”
Read more news and ideas on Innovations: