Amit Yoran: a "Cyber 9-11 has happened over the last 10 years, but it's happened slowly so we don't see it"; Bruce Schneier: Threats such as natural disasters and bad programming codes are still bigger threats to U.S. national security.
Lat week President Barack Obama released the much-anticipated report on cybersecurity and announced the creation of national cybersecurity czar. Kevin Poulsen, editor of Wired.com's Threat Level blog wanted to know whether the hacking threat to national security overblown? He used the occasion of of a recent panel discussion of cybersecurity experts during the Computers, Freedom and Privacy Conference 2009 in Washington, D.C., the other day to raise the question.
Here is what some of the expert said:
♦ Amit Yoran, a former Bush administration cybersecurity czar, said the answer is yes, pointing to the crippling cyberattacks on Estonia, attacks on government contractor Booze Allen Hamilton, and the recent cyberexploit against defense contractor networks holding information on the Joint Strike Fighter. Notably, Yoran argued a "Cyber 9-11 has happened over the last 10 years, but it's happened slowly so we don't see it."
♦ Dr. Herb Lin, a cyberattack expert at the National Research Council, said the threat from cyberattacks are very real but believes not enough attention is given to cyberespionage by the media because cyberterrorism and cyberwar receive more Web traffic and sell more papers. Lin believes the United States needs the ability to effectively unleash cyberattacks against adversaries to deter and dissuade cyberspies and other cyberadversaries. "[W]e don't consider spies inside the United States to be an attack on the United States," he said, adding ""Passive defenses alone are not sufficient. You have to impose costs on an attacker and maybe the only way to do that is a cyberattack yourself. The good guys have always had some sort of offense too."
♦ Poulsen believes the threat is highly exaggerated and criticized calling cyberexploits and cyberattacks national security threats because then the attack information gets classified. "If we can't publicly share info that the attackers already have - since it's about them - then we are doing far more harm than good," Poulsen said, because it denies IT security professionals the ability to learn from the attacks and counter them in the future.
♦ Security maven Bruce Schneier says the threat is real, but he seemed to agree with Poulsen that it can get overblown at times. Threats such as natural disasters and bad programming codes are still bigger threats to U.S. national security, he said.
