Cyber Security Industry Alliance Newsletter •  Volume 3, Number 1  • September 2006

Executive Director’s Message

September marks the five-year anniversary of the September 11, 2001 attacks. It is a solemn time of remembrance and reflection for all Americans, including those of us at CSIA.

When the attacks occurred, I was working in the White House on national security and counterterrorism issues. For those of us on the inside, 9/11 and the days that followed were full of challenges we never faced before, and many we hope to never face again. Amid the chaos, fear and sadness of those days, there were many lessons to be learned – some of which we embraced, but sadly some of which we have already forgotten.

It goes without saying that the need to prevent the terrible loss of life at the hands of our enemies here at home was, and should be, our government’s highest priority in the wake of these tragic events. The efforts to improve the security of our airlines, our buildings, our government institutions and key physical infrastructure and enhance our emergency response capabilities are important undertakings critical to ensuring our national security.

Can we be certain that we are not falling victim to “a failure of imagination” when it comes to our nation’s cyber security?

 

However, we also learned that our information infrastructure plays an important part of our nation’s security. In fact, cyber systems represent the newest and most pervasive of our critical infrastructure, underpinning nearly all of the vital national services that drive and organize every facet of our collective and individual lives from national and economic security to personal health and well-being. And yet, we have to ask ourselves, are we doing enough to protect these systems that have proven to be so critical to our everyday lives?

  

Threats to our critical information infrastructure may be silent and insidious, and perhaps we can tolerate some types of cyber attacks, but we cannot ignore the potential for real damage from a catastrophic cyber security failure

In the weeks and months after 9/11, we heard a number of experts and pundits discuss the possibility of a digital 9/11 – a crippling attack on our information networks that would leave our economy in ruins. A few years later, many dismissed this possibility as unlikely, citing that it would be difficult to pull off and that we had never seen such an attack. The frightening aspect of this argument is that most Americans would have said the same thing about the terrorist attacks of 9/11 just the day before. In fact, some experts have called our former inability to believe that the events of 9/11 could ever happen a “failure of imagination.” Can we be certain that we are not falling victim to the same failure of imagination when it comes to our nation’s cyber security?

And while a “digital 9/11” may be the worst-case scenario, what about all of the cyber security problems we are already experiencing? What about the increase in targeted, organized cybercrime, much of which is coming from international sources, or the mounting evidence of international spies trying to penetrate our government computer systems or even the loss of privacy for millions of Americans due to poor cyber security practices? The truth is that cyber attacks are occurring every single day. How much are they costing us now? How much more will they cost us if they continue to be ignored?

From funding to research and development to Congressional action, cyber security progress is stalled on nearly all fronts.

 

Unfortunately, in the five years since 9/11, the government has made very little progress in addressing the security vulnerabilities of our information infrastructure. In 2003, President Bush asked for recommendations on what should be done to ensure our cyber security and hence the National Strategy to Secure Cyberspace was created. Yet, while the strategy is sound, very little has happened in terms of its execution. Almost everywhere we turn, government leadership on cyber security has been absent. A notable example is the unfilled position of assistant secretary for cybersecurity and telecommunications at the Department of Homeland Security, but we can point to many more. From funding to research and development to Congressional action, we have seen progress stalled on nearly all fronts.

As we look back on the lessons learned from 9/11, it is both natural and necessary to focus on the ones that affect our ability to protect human life. Yet, we must not overlook the threats to our critical information infrastructure. They may be more silent and insidious, and perhaps we have even gotten used to tolerating many types of cyber attacks, but we cannot ignore the potential for real damage from a catastrophic cyber security failure at the hands of our enemies or a natural disaster. Let’s not add to the tragedy by letting our inability to imagine this scenario stand in the way of our attempt to prevent and prepare for it.