Clearly, information technology plays an important role in capturing and sharing information.
IT is an essential part, but at some point, someone who wishes this country ill will say, "forget trying to put a bomb in the Transamerica Pyramid," for example, and attempt to shut the economy down with cyberattacks.
I've been pushing the Department of Homeland Security to stay focused on that, even as they worry about cargo containers that might have nuclear material. You have to do that as a first line of defence, but the cyberattack is easer to mount. It does not require danger to those who mount it; you don't have to be a suicide bomber. The overall landscape requires a whole new paradigm of thinking.
What kind of paradigm shift does cybersecurity require?
In the threat environment of the future, corporations are the first line of vulnerability. If I am somebody who wishes the country ill, I am not going to attack the Department of Defense or the CIA, which is where most attacks are currently targeted. Let me hack into a private corporation, such as Verizon, and see if I can cause a massive service interruption. When Secretary of Defense Donald Rumsfeld picks up the phone and says he wants to talk to the commander at Central Command, Verizon handles the telephony.
Doesn't the Defense Department have back-up systems?
Probably not anymore. In the old days -- in the 1950s -- they had private networks, but they found the public network to be more reliable and a whole lot cheaper. If I can hack into Verizon, it could cause the commander in the field to wonder if the signal he just received actually came from Rumsfeld. You can multiply the examples. If I wanted to bring the country to its knees, I would attempt to shut down the Fedwire, which clears all financial transactions electronically in this country.
How well protected is the Fedwire from cyberattacks?
Federal Reserve chairman Alan Greenspan and I have had this conversation, and he agrees with me that the Fedwire is a most sensitive target. He insists that the Fedwire is extremely well protected. But every year, the sophistication of the attackers gets better, and it's a constant sword-and-shield kind of battle.
For our secure future, we need a complete system of information sharing so that people in the private sector can say to the government, "this is what is happening to us," and the government can then analyse the data and say there is no sign of a coordinated attack or that it is a sophisticated coordinated attack. We can then go back to the company experiencing the attack and notify others to the danger. About 85 percent to 90 percent of the vulnerability we have as a society is in private hands, not government hands.
Folks should be able to share info with the Department of Homeland Security without being subjected to the Freedom of Information Act (FOIA). I don't want Osama bin Laden to mount a cyberattack, and when the company reports on the attack to the government, bin Laden finds a lawyer somewhere to file a FOIA request.
