Companies including utilities, banks and phone carriers wouldhave to spend almost nine times more on cybersecurity to prevent adigital Pearl Harbor from plunging millions into darkness,paralyzing the financial system or cutting communications, aBloomberg Government study found.

Spies, criminals and hacker-activists are stepping up assaultson U.S. government and corporate systems, spurring efforts byCongress and President Barack Obama to shield infrastructureessential to U.S. national and economic security, such as powergrids and water-treatment plants.

Hardening those systems would require a significant investmentgiven the increasing stealth and sophistication of hackers,according to Lawrence Ponemon, chairman of the Ponemon InstituteLLC, a research firm that collaborated with Bloomberg on the studyreleased today in Washington.

“The consequences of a successful attack against criticalinfrastructure makes these cost increases look like chump change,”Ponemon said in an interview. “It would put people into the DarkAges.”

The study, described by Ponemon as the first to place a pricetag on cybersecurity, is based on interviews with technologymanagers from 172 U.S. organizations in six industries and thegovernment. Survey respondents were granted anonymity owing to thesensitivity of discussing cybersecurity weaknesses.

To achieve security capable of stopping 95 percent of attacks —considered by the Traverse City, Michigan-based Ponemon Instituteto be the highest attainable level — those surveyed said they wouldhave to boost spending to a group total of $46.6 billion from thecurrent $5.3 billion.

The findings add to debate in Washington over how to compeloperators of vital infrastructure to bolster their networkdefenses. House and Senate lawmakers are considering a series ofmeasures aimed at thwarting hackers, spurred by high-profileassaults at companies including Sony Corp. and Citigroup Inc.

Senate Majority Leader Harry Reid, a Nevada Democrat, has saidhe plans to bring a comprehensive cybersecurity bill to the floorof the chamber for debate by Feb. 17.

The bill, which may be introduced as soon as this week, willmirror elements of an Obama administration proposal in May thatcalls for the Homeland Security Department to identify criticalinfrastructure and set cybersecurity standards for operators ofsuch systems.

Obama cited the need for far-reaching legislation “to stay onestep ahead of our adversaries” in his Jan. 24 State of the Unionspeech to Congress.

House Measure

In the House, Republicans including Dan Lungren of Californiaare pursuing several narrower bills rather than a singlecomprehensive measure. They favor incentives to spur companies toshare cyber-threat information and better protect theirnetworks.

The Obama administration's cybersecurity coordinator, HowardSchmidt, said legislation that takes a limited approach tocybersecurity and is only based on incentives will “continue toexpose our country to serious risk.”

“Now is the time to pass legislation that ensures the companieswe rely on to power our hospitals, supply our water, support ourtroops and drive the economic engine of our country are adequatelyaddressing cybersecurity risks,” Schmidt said in a Jan. 26 WhiteHouse blog post.

In an event that hints at the damage of a successful cyberattack on the electrical grid, a blackout in August 2003 left anestimated 50 million people in North America without power for aslong as four days and cost as much as $10 billion, according to astudy by the U.S. and Canadian governments.

To achieve an ideal level of security in which 95 percent ofattacks are thwarted, utilities and energy companies surveyed inthe Bloomberg study would have to increase average annual spendingmore than seven-fold to $344.6 million per company from the currentlevel of $45.8 million.

“If you interview power companies and say, 'Is your controlsystem connected to the Internet?' they'll say, 'Of course not,'”James Lewis, technology program director at the Center forStrategic and International Studies in Washington, said in aninterview. “It turns out in almost every case a control system isconnected to the Internet and it's vulnerable to being hacked.”

The Stuxnet computer worm, which infected industrial computersystems around the world, has raised concerns that networks runningnuclear power plants and chemical facilities may be vulnerable tosabotage. Stuxnet may have been created to disrupt Iran's nuclearprogram, according to a study by Symantec Corp., the biggest makerof security software.

'New Era'

“We have entered into a new era of combat,” Michael Hayden,former Central Intelligence Agency and National Security Agencydirector, said in an interview.

“The evidence of the damage that's been done has beenaccumulating and changing in scale and scope,” said Hayden, aprincipal with the Chertoff Group, a Washington-basedsecurity-consulting firm founded by former Homeland SecurityDepartment Secretary Michael Chertoff.

A U.S. government report in November named China and Russia asthe leading perpetrators of cyber espionage and said the pace ofdigital spying is accelerating. U.S. companies aren't doing enoughto shield their networks from attempts to steal national secretsand intellectual property, according to the report by the NationalCounterintelligence Executive, an advisory panel of senior U.S.intelligence officials.

The U.S. Chamber of Commerce, the nation's largestbusiness-lobbying group, said last month that four of its employeeswere targeted by China-based hackers in a 2010 security breach.

U.S. Defense Secretary Leon Panetta unveiled a strategic planJan. 26 that highlighted the increasing importance of cyberoperations while calling for a smaller, leaner military. ThePentagon would shrink the Army and Marine Corps by about 100,000people under the plan offered by Panetta, who told lawmakers at hisJune confirmation hearing that the “next Pearl Harbor that weconfront could very well be a cyber attack.”

Fears of a catastrophic cyber attack may be overblown, whilerepeated corporate hackings may erode public trust in Web-basedtransactions, Dale Meyerrose, former chief information officer forthe U.S. Director of National Intelligence, said in aninterview.

“The biggest scare in cyberspace will be more emotional andpsychological than it will be actual,” said Meyerrose, a vicepresident at Harris Corp., a Melbourne, Florida-basedcommunications and information-technology provider. “People willlose trust in their ability to do banking online and their abilityto buy things online and their ability to use an ATM.”

Financial Services

Of all the industries surveyed by in the Bloomberg study,financial services would face the steepest increase in spending toreach an ideal state of protection. Financial companies' annualsecurity costs would jump almost 13-fold on average to $292.4million per company to fend off 95 percent of attacks, from thecurrent $22.9 million, according to the study.

“The current state is woefully inadequate, and basically we needto think as a nation of how do we fix these problems before theyhurt us,” Ponemon said. “Improving security requires real dollars.It's not just simple tune-ups.”

Even an incremental improvement in computer defenses wouldrequire a significant investment, according to all of theorganizations surveyed by Ponemon. To be able to thwart 84 percentof attacks, up from the current 69 percent, respondents said theywould have to almost double their average expenditures on equipmentand practices such as user verification systems, encryption andworkforce training.

That increase would bring the group's combined spending onsecurity to $10.2 billion from the current $5.3 billion, accordingto the study. The survey polled technology managers at 124companies, along with 48 federal, state and municipal agencies.

The cybersecurity debate echoes earlier tussles over car safety,when Congress mandated seat belts over auto-industry objectionsthat the move would hurt their competitiveness, said Lewis of theCenter for Strategic and International Studies.

“We didn't tell the car makers to give the seat belts away,” hesaid. “We let them put it on the bill, the total cost of the car.We'll need to do the same thing here.”

To limit the economic burden, policy makers should concentrateon four key areas — energy and electrical, telecommunications,financial services and government — needed to keep the countryrunning, Lewis said.

Building support for cybersecurity measures is difficult because“we're guarding against a potential,” he said.

“The pattern in the U.S. is not to do anything until there's adisaster,” he said. “The way we're going to find out if someone hasthe capability is we'll wake up one day and the lights won'twork.”

Bloomberg News

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.