The Bipartisan Policy Center produced a report that is getting a fair amount of attention and raising some concerns. The report stated that the number of cyber attacks appears to be on the rise, along with financial losses.
This data was based on information from October 2011 through February 2012. The report indicates, that over 50,000 cyber attacks on private and government networks were reported to the Department of Homeland Security, including 86 attacks on “critical infrastructure networks.” Information also indicated that many private firms keep the fact that they experienced a cyber attack secret “because of fears, some justified, including harm to their reputations and potential loss of customers.”
This is a complicated issue to be sure. However, it also seems to indicate that all the metrics and measures that are use to assess the current state of the cyber attack threats are inaccurate and the threat is woefully understated.
Basically everyone agrees the United States needs to improve cyber security and properly defend the critical infrastructure. However, current legislation has created a division between the critical infrastructure providers and those responsible for the country’s national cyber security. Many of the critical infrastructure providers’ want reimbursement for the costs required to take the steps necessary to defend these critical systems.
It seems to boil down to answering the question of who pays. Once again it must be pointed out that cyber attacks have become a common occurrence. The malicious acts are known to have a financial impact, as well as an impact on the target company’s stock price if the company is publically traded. As such cyber attacks are a foreseeable risk.
The web site Compliance Home addresses this specific issue. They state “a foreseeable risk, which in legal terms is defined as a danger that a reasonable person should anticipate as the result of his or her actions or inaction. In other words, a person or company that doesn’t respond to a foreseeable risk could be found negligent if they depart from the conduct expected of a reasonably prudent person acting under similar circumstances.”
This is not new or should it be a surprise. Critical infrastructure providers MUST respond to the foreseeable risk posed by cyber attacks or they could be called to account for negligence. Let’s hope that defending the critical infrastructure of the nation is not held up by the question of who pays.
This article was written in honor and remembrance of Petty Officer Third Class John Thomas Larimer of the U.S. Navy Fleet Cyber Command, victim of the Aurora, Colorado shooting tragedy.
Kevin G. Coleman is a long-time security technology executive and former Chief Strategist at Netscape. He is Senior Fellow with the Technolytics Institute where he provides consulting services on strategic technology and security issues. He writes a weekly blog for Breaking Gov on the topic of cyber intelligence.