Washington has spent more than a decade debating, with little real effect, how to protect the nation against cyber attack. Industries controlling the nation’s electrical grid and other essential infrastructure have resisted proposals for mandatory cyber defense standards, and have promised voluntary efforts. But major vulnerabilities remain.
The Wall Street Journal recently disclosed that Iranian hackers gained control of a small dam near Rye, N.Y., in 2013 in an attack that got the attention of the White House.
At the very least the incident showed an active effort by Iran to explore vulnerabilities in American infrastructure connected to the Internet.
But Iran is not the only potentially hostile nation doing this. Many attacks have been traced to the Chinese military and Russian organized crime.
The warning signs should be clear to the White House and Congress.
Cyber attacks on industry can cause major damage. Last year the German government disclosed that hackers gained access to the controls of a German steel plant and caused “massive” physical damage that destroyed a blast furnace.
Hostile hackers interested in the potential for damaging the U.S. economy have a rich target set to work with. The United States has some 57,000 industrial control systems connected to the Internet, more than any other country. In addition to most industrial processes, these systems control, among other things, pipeline flows, water release from dams and the opening and closing of drawbridges. A hacker could shut down production lines, cause pipeline explosions or floods, or close highways.
A decade of debate has exposed a fault line between those who think the federal government should not be allowed to regulate cyber security and those who think the nation will remain vulnerable as long as industries are left to their own devices. The compromise that has emerged stresses voluntary cooperation between the government and industry based on sharing information about vulnerabilities, attacks and best practices for cyber security.
The federal government, through the Department of Homeland Security, is supposed to lead the way. But the failure of government agencies themselves, such as the Office of Personnel Management and the Internal Revenue Service, to protect critical information raises questions about the effectiveness of the government’s capacity to provide adequate safeguards.
However, the nation is already under surveillance by enemies using cyber tools to probe our major vulnerabilities for use in a potential attack. Americans can no longer regard cyber vulnerabilities as an acceptable cost of doing business.
Infrastructure critical to the functioning of the economy and the national defense should either be disconnected from the Internet or otherwise protected from cyber attack.