Power grids, water treatment and distribution systems, major dams, and oil and chemical refineries are all controlled today by networked computers. Computers make the nation’s infrastructure far more efficient, but they also make it more vulnerable. A well-planned cyberattack could black out large parts of the country, cut off water supplies or worse. The Nuclear Regulatory Commission found that in 2003 a malicious, invasive program called the Slammer worm infected the computer network at a nuclear power plant and disabled its safety monitoring system for nearly five hours.
Despite the warnings after 9/11 – and again after the 2003 blackout – disturbingly little has been done. The Government Accountability Office did a rigorous review of the Department of Homeland Security’s progress on every aspect of computer security, and its findings are not reassuring. It found that the department has not yet developed assessments of the threat of a cyberattack or of how vulnerable major computer systems are to such an attack, nor has it created plans for recovering key Internet functions in case of an attack. The report also expressed concern that many of the department’s senior cybersecurity officials have left in the past year. Representative Zoe Lofgren, the California Democrat who was among those who requested the G.A.O. report, said last week that it proved that “a national plan to secure our cybernetworks is virtually nonexistent.”
As we’ve noted previously, the President’s IT Advisory Committee came to a similar conclusion in its report (pdf) on Cyber Security R&D, released last March. That report concluded that the federal government is largely failing in its responsibility to protect the nation from cyberthreats and recommended an immediate increase in the amount of support for cyber security research at NSF, DHS, and DARPA, and greater emphasis on civilian networks in addition to military-oriented networks.
Unfortunately, the early results of this appropriations season show that the recommendations for DHS continue to go largely unheeded….
Update: Ed Felten has a thoughtful post at Freedom to Tinker on the difficulty of addressing the cyberthreat problem with government action.