The U.S. is losing a “cyberwar” and it will take a “cyber Pearl Harbor” for the country to take the steps necessary to protect critical computer systems, the nation’s former intelligence chief said.
Efforts to get companies to agree to voluntary steps to protect against hackers have failed because they see risks of potential lawsuits from customers or business partners, Mike McConnell, now vice chairman of contractor Booz Allen Hamilton Holding Corp. (BAH), said at a Bloomberg Government cybersecurity conference today.
“We were flatfooted and not ready for World War II,” said McConnell, who was director of national intelligence under President George W. Bush. “We have always responded by building up the community after a crisis.”
President Barack Obama “cares deeply” about cybersecurity since an attack would put the nation at risk, Michael Daniel, White House cybersecurity coordinator, said at the conference.
Obama issued an executive order in February for voluntary cybersecurity standards for power grids, air-traffic control and other vital systems. While McConnell said the order was “necessary but insufficient,” Daniel described the proposed best practices for businesses as a “true public-private partnership.”
Legislation in Congress to supplement the order isn’t moving “as fast as the administration would like,” Daniel said.
The White House executive order will advance the legislative debate and “help bring clarity to the specific kinds of information-sharing that we need,” Suzanne Spaulding, the Department of Homeland Security’s acting undersecretary for National Protection and Programs Directorate, said at today’s event.
Spaulding’s department is starting its efforts by encouraging the insurance industry to cover companies whose networks and property are damaged by a hacking attack, she said.
Obama yesterday met with corporate leaders from consumer, utility and defense companies to discuss the new standards.
McConnell, in an interview after his appearance, said Iranian hackers have probably infiltrated networks of major banks during cyber-attacks that started in January 2012.
Economic sanctions are “hurting them and hurting them badly,” he said. “Iran is looking for options to give them the ability to punch back in a big way.”
He said the hackers were looking for vulnerabilities “and I think they probably found some.”
One of Booz Allen’s large banking clients doubled security spending to $300 million a year from $150 million, he said. When the bank learned it was being attacked by a nation-state, not a hacking group, the bank official wondered why the U.S. government didn’t retaliate, he said.
The Obama administration’s position is that the consequences “are not severe enough yet,” McConnell said. “They have the position, ‘You deal with it.’”
Edward Snowden, a former Booz Allen employee, provided a “playbook” to enemies and did a “great disservice” to the U.S. by leaking top-secret documents about electronic surveillance, McConnell said.
“The sources and methods that he compromised, it is a playbook for those who we would consider adversaries,” he said.
“What was compromised will cause loss of life and great disadvantage, not only for the United States but for our allies,” McConnell said.
Booz Allen, the McLean, Virginia-based consulting company majority owned by Washington-based private-equity firm Carlyle Group LP, employed Snowden as a contractor to the National Security Agency.
Booz Allen fired Snowden, 30, in June, after news reports based on the information appeared in the U.K.’s Guardian newspaper and the Washington Post. Snowden had been employed as a technical assistant in Hawaii. He is now in Russia on temporary asylum.
Booz Allen is the No. 13 federal contractor, receiving $4 billion in awards in the 2012 fiscal year, according to Bloomberg Government. U.S. government awards were the source of almost all its $5.76 billion in revenue in the year ended March 31, according to a regulatory filing. Some 23 percent, or $1.3 billion, of its fiscal 2013 revenue was from intelligence agencies.
Lockheed, the government’s No. 1 contractor, automates basic security practices, such as applying patches and conducting remediation, which stops 80 percent of all attacks, he said.
“Now we do what’s called ‘intelligence-driven defense,’” Croom said. That means looking outside the company’s networks to learn what the new attacks are, analyzing data to learn the behavior of hackers and predicting where they may attack next, he said.
“This is where government and industry can work together,” NSA Director Keith Alexander said during the conference. “Government cannot do this alone.”
Companies have to be able to tell the government when an attack is under way, he said.
“If a bad packet is coming into Wall Street, the Internet service providers could see that,” and tip off other companies and federal agencies at speeds faster than human reaction time to help thwart attacks, Alexander said.
To contact the editor responsible for this story: Bernard Kohn at firstname.lastname@example.org