If the bad guys launched a coordinated cyber attack on the United States tomorrow, neither government nor industry would be able to stop it, experts warned legislators yesterday.
At a hearing held by the House Permanent Select Committee on Intelligence, cyber defense experts testified that government agencies are insufficiently coordinated to handle an attack, and that efforts to build a defense have not adequately addressed issues in the private sector.
"The Department of Homeland Security lacks the personnel, capability, authority, and culture required to do the job entrusted to them by the President and Congress," said Amit Yoran, CEO of NetWitness Corp. and former director of the National Cyber Security Division at DHS. "DHS's cyber efforts are disorganized and disjointed, and practical operations continued to be buried deeper within the organization.
Yoran quoted Robert Stephan, DHS Assistant Secretary for Infrastructure Protection: "Most of the time, every day, I spend most of the bullets in my single 30-round magazine that I bring to work every day shooting into the backs of our own bureaucracy, trying to clear a field of fire," Stephan reportedly said. "So, I have one bullet left to either pump at al Qaeda -- or save it for me, because the bureaucracy is about to overwhelm me."
"Our current information infrastructure is riddled with holes, unknown backdoors, and is extremely difficult to protect in the face of increasingly sophisticated adversaries," said Paul Kurtz, a partner with Good Harbor Consulting and a member of the Center for Strategic and International Studies's (CSIS) Commission on Cybersecurity.
Yoran and Kurtz both said that the government isn't doing enough to involve private industry in the cyber defense effort. For example, there is no organized way for companies and government to share information about attacks or breaches, they said. There is no coordinated strategy or mechanism for sharing intelligence about intrusions with companies, nor is there a systematic way for companies to share information with the government, said the panelists
Yoran once again raised warnings that private companies which deliver parts of the nation's critical infrastructure -- such as utilities -- are not well coordinated in cyber defense. He said that the definition of "critical infrastructure" has become overly broad, which makes these defenses more difficult to develop.
Kurtz registered concerns about the theft of intellectual property from U.S. companies, which he said is occurring at a rate of $200 billion a year. "American industry and government are spending billions of dollars to develop new products and technology that are being stolen at little to no cost by our adversaries," he said. "Nothing is off limits -- pharmaceuticals, biotech, IT, engine design, weapons design."
The CSIS commission is scheduled to release a full report on its evaluation of U.S. cyber defenses in November.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.