The Economist : Frantic Jockeying For Funding Behind Recent Cybersecurity Scare Stories
Saturday, April 25, 2009
IT IS the new frontier for military and intelligence activity: cyberspace. For years military experts and computer scientists have speculated about the possibility of a nation’s infrastructure being attacked using computers, rather than bombs. There have been dark warnings of the danger of a “digital Pearl Harbour”—an unexpected strike in which digital attackers shut down America’s electrical grid or air-traffic control systems, or hack into nuclear-power stations and cause them to overheat. In recent years such concerns have been heightened by the first real examples of large-scale cyber-attacks—on Estonia in 2007 and Georgia in 2008. In each case, government websites were brought down by a deluge of traffic, apparently from Russia. The actual damage done was minimal, but it has all added to the sense of urgency, in America in particular, about the need to protect critical infrastructure from such an attack. In the past few weeks there have been alarming reports that America’s systems have already been infiltrated. On April 8th the Wall Street Journal quoted “current and former national-security officials” who warned that “cyberspies” from China, Russia and elsewhere had broken into the systems that control America’s electrical grid and had installed software that could be used to disrupt it. And on April 21st the newspaper said foreign hackers had penetrated computers containing data about the F-35 Joint Strike Fighter. Does this mean America is suddenly under attack, and that war has broken out in cyberspace?
It is difficult to believe that America, Russia and China are not all probing each other’s computer systems, and the picture is further complicated by the involvement of unofficial groups, such as those thought to have attacked Estonia and Georgia (whether or not they are backed by governments is a murky matter). But the most likely explanation for the sudden spate of scare stories is rather more mundane: a turf war between American government agencies over who should oversee the nation’s cyber-security. In one corner is the Department of Homeland Security, which operates the National Cyber Security Centre (NCSC), a body set up to co-ordinate America’s various cyber-security efforts. In the other corner is the National Security Agency (NSA), which thinks it ought to be in charge. At stake are tens of billions of dollars in funding promised for a multi-year cyber-security initiative. In February Barack Obama launched a review of America’s cyber-security efforts. The findings are expected to influence how funds are allocated and the relative balance of power between the various agencies. Frantic jockeying for position may explain the recent scare stories, and their curious lack of detail. The outcome of this behind-the-scenes struggle may well be a compromise. The official in charge of the review has talked of establishing a cyber-security office within the White House to co-ordinate the efforts of different agencies. And at a security conference in San Francisco this week the director of the NSA insisted that his agency did not want sole responsibility for cyber-security, but wanted to work with other agencies. So do not be surprised if cyber-security miraculously seems to improve once Mr Obama decides how to divide up the money and the power. But that is no excuse for frightening everybody, nor for making an already murky subject much murkier. The agencies involved need to focus on improving security, not playing politics and spreading scare stories.