Perhaps the most disturbing statement was by Vice Admiral Michael McConnell (USN, Ret.) who said that risks from cyber attacks will not be mitigated until there is more active government involvement and that involvement will not be forthcoming until a “catastrophic event” actually happens. McConnell dropped this bombshell in a somewhat casual manner, as if he personally had made peace with the expectation that some really disastrous event will occur and that nobody is going to do anything material to stop it.
My overall impression of the Hearing was a general lack of urgency. Panel members, particularly my colleague Scott Borg, pointed to the fact that considerable damage is already being incurred by the U.S. economy every day directly due to attacks and indirectly from the hampering of potential growth. And yet, in response to requests from the Senate Committee members as to what the legislators might do to help, suggestions were generally long term and strategic, such as introducing cyber security curricula, rather than immediate and operational.
It is really quite bizarre that, despite indications of serious current compromise and potential catastrophe, responses appear to be so lackadaisical. To some extent this would seem to be due to the public not really believing that the worst might occur and thinking that someone will take care of it should it happen. In part, this may be due to what I call the “Y2K syndrome.” The general impression was that Y2K was that fear mongers and those who stood to gain financially from remediation efforts inflated the risks and that it was a “non-event.” Having been closely associated with the Y2K effort, particularly in regard to contingency planning, I am convinced that, had not hundreds of billions of dollars been spent on correcting the millennium bug, we would have faced wholesale breakdowns and many computer systems would have been out of action for months.
Popularity: unranked
One Comment
Great point about something terrible needed to happen before anything is done: our government system is by and large a reactionary one rather than a proactive one. When it comes to preventing catastrophic issues we have major obstacles unless the threat is imminent. Unfortunately the “invisibleness” and complexity of cyber security lends itself to never seeming like a threat (unless one is one the front lines witnessing the attacks). In regards to the Y2K syndrome, I wrote something similar about general H1N1, InfoSec and human behavior here:
http://www.bloginfosec.com/2010/01/27/h1n1-threat-overblown-information-security-relevance-a-logic-proof/