Cyberattack on U.S. Is ‘Imminent,’ Says Former Defense Official
A serious cyberattack on the U.S. is “imminent,” said Bob Lentz, a former deputy assistant secretary of defense for cyber, identity and information assurance (CIIA). Now the president of Cyber Security Strategies, he said Monday that industrial supervisory control and data acquisition (SCADA) systems are particularly vulnerable to attack. “We have reached the point where we have a clear and present and serious situation developing,” he told an event in Washington hosted by McAfee.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The Senate is preparing to release details of its much-anticipated cybersecurity bill this week. Jeff Greene, a counsel on the majority staff of the Senate Homeland Security and Governmental Affairs Committee, said Senate leadership is “working hard to have something out this week.” Greene agreed that U.S. cyber adversaries are growing more sophisticated: “The reality is that there is an increasing ability for an adversary to mess with us in ways we can’t anticipate.”
A comprehensive Senate cybersecurity bill has been in the works since Majority Leader Harry Reid, D-Nev., introduced his placeholder legislation S-21 a year ago. Greene said “political and other constraints” have prevented earlier action on the legislation. “We are trying to make this as private sector-driven as possible,” he said. “There has been a long iterative process with industry and the government and think tanks and other members of Congress.”
It’s essential that the private sector play a large role in the nation’s cybersecurity effort, other panelists said. “If we have a cyberwar it will be won or lost in the private sector,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council, a think tank. “They will be the ones at the center of the fight.” The Department of Homeland Security estimates the private sector owns and operates about 85 percent of the nation’s critical infrastructure.
Attacks on critical infrastructure systems like water, power, and nuclear utilities are the areas of greatest concern, panelists said. Hackers can get into a computer’s memory and “alter the instructions and find that part that accesses systems that aren’t IP-based to control,” said Tim McKnight, vice president and chief information security officer at Northrop Grumman. “The threat is very, very real, very, very possible and woefully untested from a forensics perspective,” he said. “We are against an adversary that only has to be right once.”
Former DHS assistant secretary for policy Stewart Baker said he was encouraged that more critical infrastructure operators are paying attention to cybersecurity issues. “I was struck by the extent to which people have begun to focus on SCADA systems,” said Baker, now a partner at Steptoe & Johnson. “If you want to have the [cyber] equivalent of a kinetic effect … you can do it by attacking industrial control systems which have not been designed for security.”
Corporate cyber espionage is another concern for businesses both big and small, said Healey, who’s also a consultant at Delta Risk. Companies need to think about how can they protect innovation, he said: “We are seeing most of the great things that we invented being stolen and taken overseas.”
Globally, the attitude toward cybersecurity is shifting, said Phyllis Schneck, chief technology officer at McAfee. In a recent survey of 250 international cyberexperts, 84 percent see cyber attacks as a threat to national and international security and trade, she said. “More than half believe that there is an arms race taking place in cyberspace,” Schneck said, citing a McAfee report done in partnership with the Security and Defense Agenda, a Brussels-based think tank. Of those surveyed, 45 percent said cybersecurity is as important as border security and 35 percent said it’s more important than missile defense, the report said.