Analysis: One Step Behind

As cyberattackers march on, the government still is trying to figure out how to secure the nation's critical networks.

Several miles from Tiananmen Square in Beijing a slight young man with long hair and dressed in a black T-shirt sits in a smoky cyber cafe staring at the screen of his laptop computer. He doesn't look like a soldier, but he is conducting offensive combat operations as a first lieutenant in the People's Liberation Army. He is a graduate of an elite academy where he learned to master the weapons and techniques of warfare: botnets, spoofing, phishing and polymorphous worms to name just a few. He is engaged every day in attacking numerous U.S. computer systems to gain access to sensitive and classified government data. He is quiet, he is patient, he is skilled, and he is winning.

Every day thousands of people like him around the globe tap into government systems. The vast amounts of data they extract range from veterans' medical records to the refueling protocols for Navy ships at sea to the systems responsible for diagnosing maintenance problems for the F-35 Lightning II fighter and even the unclassified e-mails of Secretary of Defense Robert Gates. According to media reports, the Homeland Security Department estimates more than 60,000 cybersecurity breaches targeting government, industry and individuals in 2008 -- more than 18,000 for the federal government alone.

The damage does not end there. While massive amounts of official data are being exfiltrated from federal computers, other attackers are probing emergency response systems in hundreds of cities and municipalities, mapping electrical power grids and tapping into communications nodes. Still others are stealing the personal and financial information of hundreds of thousands citizens and causing the loss of hundreds of millions of dollars to businesses whose systems have been invaded and compromised.

Cyberwarfare could soon become the No. 1 threat to national security. Think about it, how much of our daily lives is controlled in cyberspace? The gas we buy at the pump, the ATMs we use to get some quick cash, the air traffic control system that directs 6,000 to 8,000 planes aloft at any given time, all these and many more actions are governed by computers. Imagine the havoc that would result if these systems suddenly were offline due to a massive denial-of-service attack. Life would grind to a halt. Traffic lights would go dark, elevators would stop, life-support systems in hospitals would blink out.

Some nations already have felt the effects of a cyberattack on their sensitive information systems. In April 2007, the Baltic Republic of Estonia suffered massive assaults on its government computers that browned out the nation -- banks, parliament offices and utilities all experienced degraded service. In August 2008, when Russia invaded the former Soviet Republic of Georgia, cyberattackers disabled command-and-control systems, making it impossible for Georgian military units to communicate with each other. And Chinese military doctrine cites cyber measures as a valid weapons system on par with submarines and combat aircraft.

The adversaries are not just nation states. A large amount of hacking comes from organized criminal organizations in the business of stealing financial, industry and personal data. According to the White House's "Cyber Space Policy Review," released in May 2009, breaches have skyrocketed since 2005. In 2007, 127 million records were compromised, a 600 percent increase over the previous year. The costs of cyber crime are staggering, with $105 billion lost worldwide in 2007, making it more profitable than international illegal drug trafficking. Industry estimated the losses from theft of intellectual property reached $1 trillion in 2008.

The nation has been watching these developments with growing alarm and unease, but that has yet to transform into action. Under the Bush administration steps were taken to address the problem, but efforts were disjointed and uncoordinated. President Obama recognizes the need for greater government focus on the problem and announced he would appoint a senior-level person to coordinate and direct all government cyber defense initiatives. To date, that person has not yet been named.

In its December 2008 report "Securing Cyberspace for the 44th Presidency," the Center for Strategic and International Studies said, "The United States must treat cybersecurity as one of the most important national security challenges it faces. Cybersecurity can no longer be relegated to information technology officers and chief information officers. Nor is it primarily a problem for homeland security and counterterrorism. And it is completely inadequate to defer national security to the private sector and the market. This is a strategic issue on par with weapons of mass destruction and global jihad, where the federal government bears primary responsibility."

The "Cyber Space Policy Review" was encouraging, calling for short- and mid-term action plans, but it leaves many questions unanswered. There still remains the inevitable Washington rice bowl struggle as to where the real power to direct cyber defense will reside. Some argue the National Security Agency, with its vast array of supercomputers should have the lead, while others contend that the military's new Cyber Command is best equipped to fight this 21st century war. Others note the new cyber czar could be a toothless tiger, similar to the so far ineffectual Director of National Intelligence, who has yet to be able to coordinate all the agencies in the intelligence community. Other challenges include how the private sector, which owns and operates much of the digital grid, will be engaged in securing cyberspace, how civil rights and liberties will be protected from government snooping and how the many agencies touching the cybersecurity issue will work together.

Whatever the remedy, the nation needs to get on with the business of defending its infrastructure sooner, not later, and the task will be monumental. The new cyber czar should assert authority immediately, making all stakeholders understand that he or she has not only the ear of the president but clout as well. It's too early to tell whether this new effort will bear any fruit, but the stakes are so high that the government simply cannot afford to fail. Securing cyber space must be a hallmark of the Obama administration.

Jack Thomas Tomarchio was deputy undersecretary for intelligence and analysis operations at the Homeland Security Department during the Bush administration and now is chief executive officer at NICOR Cyber Security LLC.