July 9, 2015 Prepare for more cyber attacks on US
Gillian Tett
Washington needs to answer the question that Kissinger once asked of Europe: ‘Who do I call?’
Another week, another wave of cyber alarm in America. On Wednesday both the New York Stock Exchange and United Airlines suspended activity for several hours due to mysterious computing problems, while the Wall Street Journal’s website briefly went down. All three insisted that the outages reflected technical hitches, not malicious attack. But many are anxious after past assaults on mighty American companies and agencies.
In February Anthem, an insurance company, revealed that cyber hackers had stolen information on 80m customers. The Washington-based Office of Personnel Management said cyber hackers had taken data on millions of federal employees. Companies ranging from retailers to banks have been attacked, too.
On Wednesday — just as the NYSE was frozen — Cambridge university and Lloyds insurance group released a report suggesting that if a cyber assault breached America’s electrical grid, this could create $1tn dollars of damage. A few minutes later, James Comey, the FBI director, told Congress that it is struggling to crack encryption tools used by jihadis. In May, Mr Comey said Islamic terrorists were “waking up” to the idea of using malware to attack critical infrastructure. It is scary stuff.
The key issue that investors, politicians and voters need to ponder is not simply who might be the next target, but whether Washington has the right system in place to handle these attacks. The answer is almost certainly No.
On paper, there is no shortage of resources; earlier this year, for example, President Barack Obama earmarked $14bn for the cyber fight. But the key problem now is not so much a lack of cash — but co-ordination: as fear spreads, a bewildering alphabet soup of different agencies and task forces is leaping into cyber battle, often with little collaboration. The institution that is supposed to be in charge of security threats is the Department of Homeland Security. But its skills are viewed with scepticism by military officials. The Pentagon has its own cyber warriors, as do America’s intelligence agencies.
The White House has tried to force these bodies to work together. Separately, civilian agencies such as Nuclear Regulatory Commission started holding discreet meetings with each other last autumn on cyber issues too. But collaboration across sectors is patchy. “The level of readiness in different agencies varies enormously,” admits a senior Washington figure at the centre of these efforts. Add in private sector bodies and the picture is even worse: not only is the Pentagon wary of sharing data with, say, the Chamber of Commerce, but companies are often terrified of revealing attacks to each other.
Is there a solution? One sensible response might be to create a new agency to provide a central focus for the cyber fight. There is precedent for that; most Washington regulators emerged in response to a new threat. The Securities and Exchange Commission, for example, was created after the 1929 stock market crash; the Food and Drug Administration appeared after scandals over dangerous medicines. A second option might be to relaunch the DHS to focus on the cyber fight. It could, for example, be named the Department of Cyber and Homeland Security.
Either way, Washington needs to answer the question that Henry Kissinger once posed in relation to Europe: in a crisis: “Who do I call?” Some countries have found ways: Australia has impressive levels of co-ordination between the public and private sector over cyber defences. But as the sense of tribalism builds in Washington, the sad truth is that it may take something — like a really big crisis — before anyone can bang bureaucratic heads together in an effective way. Better just hope that this “something” will not be too devastating; such as a real attack on the transport sector and markets.
