When confronted by a sudden, unexpected high level of stress and overwhelming anguish, our brain employs a coping mechanism that suppresses the experience long enough to enable us to regain control. This capacity kicks in automatically to prevent us being paralyzed, unable to move or speak.
But because the same experience can be perceived differently depending on the individual, each of us responds in a very different way. Some of us will run when confronted by a challenge, while for others, the brain will also try to block something out altogether when we do not understand what is going on. But putting off dealing with something does not resolve it — a fact that U.S. policy makers would do well to consider.
For years now, cyber security experts have been warning about the vulnerability of our nation’s information systems. They are not all in agreement, of course — what group of experts is? Nevertheless there is at least some consensus that our cyber underbelly has become more and more exposed. But even as we have become aware of that, so have our potential adversaries.
The fact is that our vulnerability to attacks on our critical infrastructure (communications, air traffic control, water, gas, emergency services, and more) generally, and the power grid in particular, has become dangerously apparent. Meanwhile, the Internet has become a vital part of our personal and professional lives — imagine trying to operate your business, big or small, without it.
Yet this vital tool is being attacked every day, and unless the United States stops being reactive to threats and policy makers become proactive in fortifying our defenses, our very real vulnerabilities will be exposed.
This is not hyperbole. The timid assert that there is no irrefutable evidence that we are actually in danger. But this begs the question of whether it will take yet another catastrophic attack on this country — this time in the form of a cyber attack — for legislators and the public to be roused from their lethargy? Are the reputed threats actual and significant or unconfirmed and exaggerated?
Consider Exposing One of China’s Cyber Espionage Units, a report released in February 2013. The Mandiant Group, a very well respected cyber security firm, presents a widely lauded and comprehensive account of state-sponsored cyber espionage. Their report provides credible evidence of a “smoking gun,” proof that since 2006, elements of China’s People’s Liberation Army, most recently PLA Unit 61398, have been hacking into information systems and stealing hundreds of terabytes of data from 141 American companies in 20 major industries. The theft of these corporations’ intellectual property allegedly included “technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, emails and contact lists from victim organizations’ leadership.”
Meanwhile, there are also credible accounts of the information systems of banks, gas pipelines, and virtually every other critical infrastructure having been hacked on an ongoing basis for years.
So far, we have been able to tolerate the inconvenience of a disruption to our power supply. A decade ago in the northeast, when the lights went out in the so-called Northeast Blackout of August 2003, the lives of some 50 million people were adversely affected, with the costs of the blackout hitting an estimated $6 billion damage, with at least 11 lives lost over a mere two-day period. Consider how much worse this could have been had it occurred during a winter month. It is true that that incident was not a cyber attack. But it very easily could be next time.
A few years ago, the Scientific American asked an important question: “Are we still at risk for a massive blackout?” The answer, of course, is yes. But will it take an incident of a similar scale to prompt the public to demand that lawmakers take action and come to terms on appropriate and meaningful legislation to ensure that the lights are not put out deliberately?
Consider the U.S. senators who last month voted not to take up the CISPA bill (Cyber Intelligence Sharing and Protection Act), which had passed overwhelmingly earlier in the month in the House of Representatives. That decision underscored the fact that despite us living in a glass house, pundits, politicians and civil libertarians are more fearful of “big brother” than they are of real threats.
One does not need to have a Ph.D. in marine zoology to recognize danger in the water — if we see a dorsal fin coming towards us, a self-preservation instinct should kick-in. It would be foolhardy to wait until we know if it is a basking shark or a Great White that we have spotted in the water before we clamber into the boat to safety.
Today, there are many digital dorsal fins of cyber sharks circling America. If we do not get out of these troubled waters by enacting enabling legislation to protect ourselves, America’s critical information infrastructure will remain more virtual than real. Our way of life is at grave risk. What will it take to spark meaningful action?
William L. Tafoya is a retired FBI special agent and professor and director of information security and protection at the University of New Haven.
