Cybersecurity experts warned congress on April 24th that unless strong legislation is passed to enforce basic security standards for critical infrastructure, this country could face a major cyber attack. “If we don’t do that this year, an attack is inevitable,” Center for Strategic and International Studies Senior Fellow James Lewis told the congressional committee.
According to an article on Government Computer News, the attacks that the public is seeing are only the “tip of the iceberg”, and it is the attacks that the public does not see that are very disconcerting. Shawn Henry, former executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch, echoed what the NSA said a few years ago, that network operators “need to assume that they have or will be compromised”:
“The threat has reached the point that a determined adversary will access any system that is directly accessible from the network,” said Henry, who now is president of CrowdStrike Services, a cybersecurity intelligence start-up. “They will keep coming until they come in.”
The article also mentions that though China and Russia are a major concern, that are not the top threat to American networks. Lewis said, “I don’t worry about China and Russia, they aren’t going to start a war just for fun. I don’t know if we can say that for Iran and North Korea.”
Though many main stream computer security experts would counter the statement that a major attack is inevitable, the key really lays in the fact that a lot of information causing the concern is not released publicly. Even the NSA caught a lot of flack recently about their concerns about the hacker group Anonymous. But you have to realize the NSA has access to information that the public will never see, and if they are concerned, there really has to be something to it.
US networks would be much stronger if companies did enforce basic standard security procedures. But my question is why hasn’t critical infrastructure entities already implemented it? And why would we need more legislation passed to force them to do it, when it should already be done?