The United States is not prepared to effectively coordinate a public/private recovery from a major attack on the Internet, cyber security officials told Congress today.
The primary problem, they explained to a sparsely attended House hearing, is leadership and clear lines of authority.
"Right now, no one in government is really looking at the macro level," Paul Kurtz, the executive director of the Cyber Security Industry Association (CSIA), told the lawmakers.
"Currently, there is little strategic direction or leadership from the federal government in the area of information security."
Before joining CSIA, Kurtz served at the Bush White House on the National Security Counsel (NSC) and the Homeland Security Council (HSC).
"Ensuring the resiliency and integrity of our information infrastructure and protecting the privacy of our citizens should be higher on the priority list for our government," Kurtz said.
Federal regulations make the Department of Homeland Defense (DHS) the primary focal point for national cyber security safety, but a General Accountability Office (GAO) study released Wednesday in conjunction with the hearing backs Kurtz' position.
The report concludes that while the DHS has developed plans for infrastructure recovery, the component pieces of those plans that address the Internet infrastructure are incomplete.
"DHS has started a variety of initiatives to improve the nation's ability to recover from Internet disruptions, including working groups to facilitate coordination and exercises in which government and private industry practice responding to cyber events," the report states.
However, the GAO notes, progress has been limited and other initiatives lack time frames for completion.
The GAO also singled out the private sector for the "reluctance of many... to share information on Internet disruptions with DHS."
Larry Clinton, the chief operating officer of the Internet Security Alliance, conceded not enough is being done by the government or the private sector to secure cyber space.
"We cannot manage the risk of first 21st Century technology solely using regulatory models designed two centuries ago," Clinton said.
"While regulation has its place, a new, more creative model built on marker incentives must be developed."
Symantec's Vincent Weafer added to the House panel's concerns by stressing that the very nature of cyber threats is changing, further complicating the government's planning.
Large-scale, fast-moving virus or worm attacks, for instance, are on the wane.
According to Symantec data, there were almost 100 medium-to-high-risk attacks of that sort from 2002 to 2004. In 2005, there were only five and none have been reported so far this year.
"We've made significant headway in containing and repelling these sorts of threats," Weafer said.
"Cyber crime is the dominating security threat we're seeing today and there's been a marked increase in the use of 'crimeware'... used to conduct cyber crime," Weafer said.
He added that Symantec's tenth annual Internet Security Threat Report found that attackers are moving away from large, multiple hits against traditional security devices like firewalls and routers.
"Instead, they are focusing their efforts on regional targets, desktops and Web applications that may allow an attacker to steal corporate, personal, financial or confidential data," he explained.
Or, more ominously, breaching confidential information from power an energy plants which can then be used to plan a physical attack.
All the gloomy testimony finally prompted Rep. Cliff Stearns (R-Fla.) to ask George Foresman, the undersecretary of preparedness at the DHS, to rank the country's preparedness to handle a major Internet attack on a scale of 1-10, with one being the most prepared.
"I'm not going to put a number on it," Foresman replied.
Stearns persisted, suggesting "very unprepared?"
Foresman reluctantly came up with, "Moderately well prepared but there is still much to do."