Promises to increase the United States cyber defenses are nothing new, though lately they are made more frequently.
On June 9, 2015, just one day after President Obama vowed to “aggressively bolster” our cyber defenses, the U.S. Army official website was hacked and defaced, apparently by a hacktivist group, supporting Bashar Assad, the “Syrian Electronic Army,” while the massive attack on the Office and Personal Management has been attributed to China.
The official statement after massive cyber breaches tends to blame the intruders and promise to fix cyber security. But warning of threats to the United States digital communications date back to the February 1970 report on Security Controls for Computer Systems by the Defense Science Board. It took eighteen years and the spread of the Morris worm throughout the Internet to “wake-up” the DoD to create computer security response teams, giving birth to a reactive, instead of protective policy.
That is when the Community Emergency Response Team (CERT) was established by the Software Engineering Institute (SEI) at Carnegie Mellon University. But only after the Oklahoma City bombing in 1995, the Critical Infrastructure Working Group (CIWG) identified the vulnerability posed by the growing interdependency among government, as well as private sector networks, and new task forces and government agencies were created to study the problems, encourage information sharing and analysis and develop computer defenses. More attacks were followed by Congressional testimonies, conferences “to raise the awareness” and task forces “to study the problems.”
According to McKinsey, government and businesses with “delayed or lost technological innovation—problems resulting in part from how thoroughly companies are screening technology investments for their potential impact on the cyberrisk, profile,” often excuse the continuing cyber vulnerability to growing number of attacks. But cyber security expert Winn Schwartau puts the blame on “the security industry [that] has been unable to provide much more than products and a wing and a prayer to accomplish” their task.
Since there is little doubt that cyber attacks threaten the U.S. national security and its economy, perhaps instead of patching up a broken system, the government should allocate whatever is needed for the best and the brightest in academia and private industry to partner in fast track “Manhattan Project”-like research and development for a different encrypted system to replace the Internet as the main venue to store and transfer information.
In the meantime, new laws to hold both the government and the private sector legally responsible for damages caused by insufficiently secure computer systems (such as from identity theft) should be enacted. Insurance companies, which would deny policies to non-complying customers, making it cost effective to install top security measures, could be used to further enforce such laws and help direct spending to develop new methods of secure communication, as well as better vetting those who have access to their systems.