IT Security Tied to America's Economic FortunesRecommendations Pending for Securing Information Infrastructure
Still, the president sees protecting government and private-sector information systems as crucial to the economic vitality of the country. So, when Acting Senior Director for Cyberspace Melissa Hathaway hands the President her recommendations on securing the nation's information infrastructure later this month, a sharper picture should emerge on how much money the government will need to spend to do just that.
What Price Security?
The government isn't a spendthrift in protecting its IT networks; it earmarked $6.8 billion a year on cybersecurity this fiscal year, up from $4.2 billion five years ago, according to the White House Office of Management and Budget. But is that enough? Appropriating money to find new and innovative ways to protect our critical information infrastructure doesn't seem to be a government priority, at least not yet. Of the $147 billion the government planned to spend on all types of research and development this fiscal year, only $300 million or 0.2 percent was slated for cybersecurity, according to the Securing Cyberspace in the 44th Presidency report issued by the Center for Strategic and International Studies. By comparison, the budget contained five times as much money $1.5 billion for nanotechnology R&D.
President Obama suggests our economy can't afford to ignore securing IT. "Every American depends directly or indirectly on system of information networks," Obama said on the campaign trail last year. "They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being. But it's no secret that terrorists could use our computer networks to deal us a crippling blow."
The Threat Landscape
The numbers back up Obama's contention. The new National Intelligence director, Dennis Blair, in Congressional testimony last month cited studies showing that the loss last year of intellectual property stolen from computer systems topped $1 trillion worldwide. In the U.S., he said, spam attacks cost the economy $42 billion in 2008. And it's not getting better. The U.S. Computer Emergency Readiness Team says it tracked 5,488 incidents of unauthorized access to federal government computers and installations of hostile programs in 2008, up from 3,928 in 2007 and 2,172 in 2006.
If not stopped, these continued cyber attacks could cost our economy dearly. "We're hemorrhaging information today at literally unknown rates," says former National Security Council counterterrorism director Paul Kurtz. "That's our economic viability, and we're in a world of hurt right now. We have an economic meltdown and our intellectual property are being stolen from up under our nose by other countries. We've got a serious problem."
That's because the growing connectivity among information systems, the Internet and other infrastructures creates opportunities for attackers to disrupt telecommunications, electrical power, energy pipelines, refineries, financial networks and other critical infrastructures that could play havoc with our economy. "A successful cyber attack against a major financial service provider could severely impact the national economy, while cyber attacks against physical infrastructure computer systems such as those that control power grids or oil refineries have the potential to disrupt services for hours to weeks," Blair told lawmakers.
It's at that nexus between digital and physical security, between government and business, that most troubles Greg Garcia who served as Homeland Security assistant secretary for cybersecurity and communications in the final two years of the Bush administration in regards to securing the nation's IT infrastructure. Defending this nexus requires unprecedented cooperation between government and the private sector because 95 percent of the nation's information and physical critical infrastructure is owned by business.
But, Garcia says, the government shouldn't over-regulate industry to get their cooperation; instead, federal lawmakers and the administration should develop solid business cases to persuade business to buy-in.
"A regulatory model is pretty hard to put in place because of the complexity of our network infrastructure, and the need for resilience in how we manage this infrastructure," Garcia says. "A one-size-fits-all regulatory regime is difficult to come by, but by the same token, we continually face problems where some in the private sector in trying to look at their cost-benefit analysis often give security the shorter end of the stick. We're trying to get many in the private sector to do is sit up and recognize that many of their critical infrastructures are vulnerable. They need to invest those resources to secure those infrastructures."
Whether through persuasion or regulation, government and business need to find the money to better secure the nation's critical IT infrastructure to avoid an economic upheaval.