Who's Guarding the Internet?

WASHINGTON -- The nation is still vulnerable to cyberattack, and at least one senator is concerned that the private companies that own and manage much of the Internet aren't taking enough precautions.

"I am concerned that we essentially are underprepared for a cyberattack," Sen. Dianne Feinstein (D-California) said at a hearing of the Senate Judiciary Subcommittee on Terrorism, Technology and Homeland Security this week.

Security by Volunteers

Feinstein noted that nearly 90 percent of the nation's cyber-infrastructure is controlled by the private sector. Those networks, which handle the bulk of the country's online connections to the rest of the world, have little government oversight, she said.

"If [infrastructure security] is being dealt with on an ad hoc basis by whoever owns it without any federal regulation it could mean there are holes which hackers and cyberterrorists try to exploit," says Scott Gerber, a Feinstein spokesperson, of the senator's concerns.

During the hearing, Feinstein pointed out that the government has "embraced a voluntary market-based approach to cybersecurity."

Her comments were echoed by Tony Stanco, associate director at George Washington University's Cyber Security Policy and Research Institute.

"I wouldn't say that the critical infrastructure is fully protected at this point by a long stretch," Stanco says. While the government can protect its own Web sites and servers, protecting its section of the infrastructure won't make that much difference unless the banks, electrical companies, and other major corporations match the government's efforts, he notes.

"I'm not sure private industry's going to do it by itself," Stanco adds. "That's expecting a lot from them because most private industries would rather not disclose their vulnerabilities, so unless you have some legislation...it's kind of hard to see them voluntarily do it."

Where's the Watchdog?

Overseeing the country's cybersecurity falls to the National Cyber Security Division of the Homeland Security Council, which is within the Department of Homeland Security, formed after the 2001 attacks. In 2003, the division released the "National Strategy to Secure Cyberspace," a document of cybersecurity suggestions for private industry, individuals, and academia. All were created in an effort to preempt and fight terrorism.

The National Cyber Security Division recently launched the National Cyber Alert System, which notifies computer users of cybersecurity risks via e-mail alerts.

At the hearing, NCSD Director Amit Yoran also pointed to the Cyber Interagency Incident Management Group, created to "coordinate intergovernment preparedness and operations to respond to cyber incidents and attacks." He said the NCSD recently tested its response capabilities with Livewire, a sort of simulated cyberattack.

"At DHS, the question we ask ourselves every day is, 'How are we making America safer today?'" Yoran said in his testimony.

Shared Vulnerabilities

But critics at the hearing said the government isn't doing everything it should to guard against cyberterrorism.

An exploited vulnerability, which could result in a cyberterrorism attack, would be wide-ranging, according to Dan Verton, author of Black Ice: The Invisible Threat of Cyber-Terrorism. Verton is also a writer for Computerworld, a sibling publication of PC World.

Verton said there is "no longer any separation between the physical, real world and the cyberworld." He pointed out that computers and computer networks "control real things in the real world"--such as electricity, drinking water, and money transactions. Consequently, cyberattacks can have consequences in the physical world.

George Washington University's Stanco cited dams as an example of how electrical interconnectivity vulnerabilities could be exploited. If hackers got into the system of the company controlling a dam's floodgates, they could wreak havoc in the physical environment, not only in cyberspace.

"We've come some way" in securing cyberspace as well as physical operations against attack, Stanco says. "But there's still a long way to go."