I’ve written about cybersecurity for a while now.  We can’t behave like ostriches with our heads in the ground (or, worse, up our a….s), thinking if we do nothing we’ll be ok. We’ve attacked Iran.  Oh, I know, we haven’t officially announced it, but the whole world knows that America and Israel are behind Stuxnet (which attacked at least 16000 computers in Iran), Flame, and their sister computer viri.  Moreover, we left a signature-  we made sure that the virus would only attack specific devices and networks.  Because, being American and Israeli, we don’t want to hurt innocents.  Except most hackers have no such ethics- which also proves the rest of the world who designed these viruses.

Congress was presented two bills to develop cybersecurity plans.  They both failed- even after being watered down.  Because the U.S. Chamber of Commerce (please don’t be fooled- this is an organization that represents BIG business, not like your local chambers that are comprised of small business members) lobbied long and hard.  Because the plans would cost money.  You think?  What is the biggest expenditure of the USA?  Defense.  Because defending this nation isn’t cheap.  Neither is the defense of our infrastructure.  (Building and repairing infrastructure is something we fail to do- religiously.)

So, the bills had minimum cybersecurity standards stripped out for business, in general- and only applied to water supply systems, electric grids, communications systems, and financial networks- with a provision that companies that adopt the standards would be exempt from liability for their actions in this regard.  Did that stop the lobbyists?  Oh, come on… you know there was no change in their attitudes.  (Leaving the US in the target latitudes!) Instead, the Chamber advocated information-sharing between private and public sectors.  Like sharing information, without any action, makes one iota of difference.

Let me remind you that during the Derecho that hit the DC metropolitan area left no stone unturned- no electricity and no phone service.    Because Verizon relies on batteries to provide POTS (plain old telephone service) during blackouts- but has not replaced those batteries in years.  (I would say decades, but I only have seven years of data.)  So, like the batteries in your computers after a few years, or those in your flashlights after a few months- there was no “juice”.  Which meant no 911 service- or, for that matter, regular service, for those relying on these decrepit batteries.  And, this was an act of G0d—not a concerted attack.

Right now, when companies get attacked, they generally don’t know it.  They find out later- when they look for something that should be there, or someone tells them there’s a problem.  (Think of your own computer; you often don’t know when you’ve been hacked- other people complain to you about what you are doing to them.) And, let’s consider Saudi Aramco.  The Saudi national oil company had some 30,000 computers destroyed during this attack (presumably by Iran).  Roughly ¾ of their IT department was wiped out.  Which terminated their oil production.  (Remember those oil price rises in August for which folks were scratching their heads…. Now, you know why.)    Not long after, Capital One and BB&T banks were attacked.  (Not that they admitted it- when I called to ask what happened to my ‘up-to-date’ information, they provided me a cock and bull story about merging their computer systems with another bank [one, whose merger never happened].)  They were out for days!

Just imagine if that were applied to ConEd (the largest electricity provider to the Greater New York region)- because if it went down, it would bring down other electrical networks connected to its grid.  And, if the computers were totally destroyed, then power would be off for a while- a l-o-n-g while.

Of course, if President Obama were to impose an executive order to control this hazard, there would be a hue and cry (among the opposition party).  But, this is allowed- under a law passed under President George Bush (Homeland Security Act of 2002)- which demands risk assessments of critical infrastructure be performed to identify which/what assets are vulnerable to cyberwarfare- with the imposition of voluntary standards- with the announcement of which firms comply or not with said standards.

We have to do something.  Right now, Maryland- which is (incorrectly) touted as our cyber capital (as well as the site of  the headquarters of the US Cyber Command)- has been cited as vulnerable- no protection of social security numbers, data breaches that go unreported,  laptops and tablets with sensitive information without encrypted files, among other problems.  If this is the best- then we are clearly unprotected. Are we going to wait for the cyber version of 9/11 to react?

Share this: