Rather than waste their time grilling Secretary of Defense-designate Chuck Hagel about discarded positions on gays and the "Israel lobby" at his confirmation hearings last week, members of the Senate Armed Services Committee should have spent time on real threats for the 21st century: cyberwarfare.
Hagel cited that threat in his opening remarks but wasn’t asked about it.
The Pentagon, National Security Agency, the Federal Reserve Board and the Department of Homeland Security have all acknowledged prior cyberattacks, as have institutions like Bank of America (NYSE:BAC), Citigroup (NYSE:C) and Apple Inc. (NASDAQ:AAPL), the most valuable technology company.
Last fall, retiring Secretary of Defense Leon Panetta warned of a “cyber Pearl Harbor” that could see hackers breaking into those institutions, as well as essential elements of national infrastructure, such as the electric power grid, air traffic control system and water and railroad companies.
Last month, Panetta authorized a massive buildup in the military’s personnel assigned to rooting out intruders and hackers. The Cyber Command, managed by the National Security Agency, will get a fivefold boost to 4,900 people by 2016.
There will be a “national mission force” to protect computer systems for infrastructure, a “combat mission force” to respond to cyberattacks and a “cyber protection force” to prepare responses to attacks.
Last week, the New York Times, published by New York Times Co. (NYSE:NYT), the Wall Street Journal, owned by News Corp. (NYSE:NWS) and the Washington Post, owned by Washington Post Co. (NYSE:WPO), acknowledged their systems had been hacked, most likely by China in retaliation for stories published about the private fortunes amassed by top Communist Party officials, including Prime Minister Wen Jiabao.
The Times hired AT&T Inc. (NYSE:T), the No. 1 telecommunications carrier, and security expert Mandiant, a private company run by a former Pentagon cyberwarrior, to deal with the problem. Intruders had hacked every employee password and computer, broken into 52 employee PCs and probably even obtained email addresses of confidential informants who had aided reporters.
Other online providers including Bloomberg LP have been hacked, as has Google Inc. (NASDAQ:GOOG), the No. 1 search engine, and EMC Corp. (NYSE:EMC), the No. 1 maker of storage products.
Last week, both Hewlett-Packard Co. (NYSE:HPQ), and International Business Machines Corp. (NYSE:IBM), the top computer companies, announced new cybersecurity software and services for enterprises especially fashioned to deal with intrusion and hacking. But IBM’s announcement explicitly read in capital letters that its product won’t MAKE YOUR ENTERPRISE IMMUNE FROM THE MALICIOUS CONDUCT OF ANY PARTY.
That’s the trouble with the entire computer industry, said C. Warren Axelrod, a veteran of the industry who’s served on numerous national commissions on security, especially leading up to the Y2k phenomenon of 2000. His “Engineering Safe and Secure Software Systems” (Artech House: $109) is his latest work.
“Basically, the whole approach to information security and cyber security is broken,” he said. Organizations like New York Times use software from Symantec Corp. (NASDAQ:SYMC) that doesn’t protect them. They don’t even know when they are being penetrated, he said. Intruders send malicious software, or malware, with email that gets opened and infects an entire network.
There’s inadequate detection of intruders, Axelrod said, with too many entryways, a problem being made worse by smartphones that allow access into corporate networks, providing more access to hackers. Then it becomes easier for an intruder to break in, insert malicious software or “malware” and potentially work for years without being caught.
“Too many companies were compromised and didn’t know about it,” said Axelrod, who has a doctorate in operations from Cornell and decades of experience watching security for major banks and Wall Street firms. Credit-card data and other information has been hacked and stolen, with major breaches of confidentiality.
Many organizations have simply been too lazy to apply security. After the suicide of Aaron Swartz last month, authorities disclosed that the accused hacker had personally broken into the computer center at Massachusetts Institute of Technology and attached a laptop to its network so that he could illegally download documents from its JSTOR network.
Swartz was seen on camera walking in with a laptop but not walking out without it.
Looking ahead, Axelrod said next-generation systems can be made far less vulnerable, if not completely immune from attack. Still, the fact that even major players like IBM refuse to guarantee immunity implies the software and networking sector has a long way to go.
“What we really need is a Manhattan Project to design safe and secure cybersystems,” Axelrod said.