Cyberdefense mired in Cold War

The absence of a catastrophic cyberattack against the United States has

created a false sense of cybersecurity and has allowed costly Cold War-era

Pentagon programs to siphon money from critically needed information technology

and security programs, a panel of experts warned last week.

"We're still mired in a Cold War-era defense spending mentality," said

Sen. Charles Schumer (D-N.Y.) at a symposium titled "Technological Change

and American Security" and sponsored by The Brookings Institution.

The rapid advance of IT has created "real and potentially catastrophic

vulnerabilities," Schumer said, adding that the consequences of a cyberterrorist

attack "could be devastating."

Eye of the Beholder

However, senior security officials are battling a perception problem,

according to experts who took part in the symposium. Without a clear-cut

example of an "electronic Pearl Harbor," where a surprise cyberattack cripples

financial markets and other critical systems, it's difficult to convince

top military and political leaders that IT research and development should

be a bigger priority in the budget process, experts say.

"Cyberterrorism is not an abstract concept," said Jeffrey Hunker, senior

director for critical infrastructure protection at the National Security

Council. Although attacks historically have been labeled as "nuisances,"

that may not be the correct way to look at the problem, Hunker said.

The government is dealing with an "enormous educational deficit" when

it comes to IT security, he said.

Part of the problem is the fact that the Defense Department remains

committed to lobbying Congress for money to pay for programs such as the

F-22 Joint Strike Fighter instead of increasing funding for IT programs,

said Michael O'Hanlon, a senior fellow for foreign policy studies at The

Brookings Institution.

"I believe that is not affordable even in this age of surpluses," O'Hanlon

said, adding that DOD's assumptions about future budget gains are "wrong."

O'Hanlon advocated spending more money on advanced sensors, precision-guided

weapons and other IT programs. That type of investment would preclude the

need to buy costly systems such as the F-22, he said.

But even events such as the outbreak of the "love bug," which reportedly

cost the U.S. economy billions of dollars, have not convinced people in

and out of government that the problem is real, Schumer said. Usually, when

a major crisis costs people a lot of money, it leads to many visits to Capitol

Hill and requests for help, Schumer said. But that never happened after

the love bug outbreak, he said.

Some experts have questioned the government's liberal use of the term

terrorism to describe acts of mass disruption on the Internet. However,

when asked about the seeming lack of interest in cyberattacks by well-known

terrorists such as Osama bin Laden, a senior White House official said the

focus should not be on what bin Laden does or does not do, but on being

proactive and understanding that a major attack may be coming.

Hunker said he agrees. "We are attempting to be proactive," he said.

"I believe that we are going to get nailed seriously."

The National Security Agency is one of the federal entities that has

taken a proactive approach toward security cooperation between government

and industry (see box).

But one of the biggest challenges facing the nation, highlighted during

the love bug incident, remains convincing industry that security is as important

as making money, said John Nagengast, assistant deputy director for information

systems security at NSA.

"Vendors and users have to treat information assurance as a fundamental

precept of doing business," he said. "It has to become part of the business

case."