According to U.S. officials, several foreign nations have illegally gained access to our government’s computers and searched for vulnerabilities in our electronically based infrastructure. Those nations may also have planted electronic mines, which when activated could disrupt our systems. During a conflict, such enemies could launch covert attacks on our critical infrastructure, taking down the computer networks that run our power grids, telecommunications switches, banks and financial services, water supply, and air traffic control. At an AEI seminar on June 19, a panel representing the business, government, and legal communities addressed this threat to national security.
Richard A. Clarke
A group of financial service providers has already taken the initiative by joining the Financial Services Information Sharing and Analysis Center (FS-ISAC), a watchdog group that provides a database allowing members to anonymously report cyber-attack incidents and search for other incidents, vulnerabilities, threats, and solutions. Panelist Stanley R. Jarocki, chief information security officer for the Depository Trust and Clearing Corporation, established the FS-ISAC, which is open only to paying member companies. (Companies in other industries, such as transportation and telecommunications, plan to form their own ISACs.) Jarocki warned that e-commerce has evolved into a highly open system and that, due to the increasing use of cable modems at home, our susceptibility to hackers has never been greater. The private sector needs to address vulnerabilities in its systems and might consider doing so through mutual protection groups similar to the FS-ISAC.
Elizabeth Rindskopf Parker, general counsel for the University of Wisconsin system, offered a legal perspective on the issue of cyber threats. Since perpetrators of cyber attacks can range from individuals within the United States to hostile foreign nations, and since the repercussions of attacks can vary from minor annoyances (such as viruses) to national hazards, attacks may fall under the domain of domestic law enforcement or national security operations, and legal standards are not the same for the two areas. Therefore, we must proceed thoughtfully in reconciling those standards and realms of protection. If we react too rashly to cyber threats and ignore the legal conflicts involved, people and companies, especially those concerned with civil liberties and privacy, may overreact in the future if they feel their rights were violated. Nevertheless, those same people concerned with personal privacy will probably lead the fight against attacks on their computer systems, thus spurring private action against cyber security threats.
Richard N. Perle closed by offering solutions to the problem of cyber attacks. He predicted that we are bound to see a growing number of domestic hackers breaking into computer systems. To effectively discourage such attacks, which can cause millions of dollars in damage, we should impose tougher penalties, such as ten to twenty years in jail. In addition, law enforcement should offer generous rewards for information leading to the arrest of such hackers.
Perle also suggested increases in protection against foreign attacks. Currently, governmental agencies stage cyber attacks in order to practice defending against them. But the mock attacks tend to test areas already fortified against cyber threats. We need to develop more tests of our vulnerable systems. The Securities and Exchange Commission can motivate the private sector to protect its own infrastructure by requiring companies to report to their board members on what they are doing to prevent attacks (similar to SEC requirements for Y2K preparation), so that investors become more attuned to security issues. In dealing with foreign nations, we should not hold or attend international conventions involving many other countries. By doing so, we risk spreading to other nations knowledge of technology that can be used against us. When we do detect foreign cyber attacks, we should hold the offending country, not the individual hacker, responsible.