Companies including utilities, banks and phone carriers would have to spend almost nine times more on cybersecurity to prevent a digital Pearl Harbor from plunging millions into darkness, paralyzing the financial system or cutting communications, a Bloomberg Government study found.
Spies, criminals and hacker-activists are stepping up assaults on U.S. government and corporate systems, spurring efforts by Congress and President Barack Obama to shield infrastructure essential to U.S. national and economic security, such as power grids and water-treatment plants.
Hardening those systems would require a significant investment given the increasing stealth and sophistication of hackers, according to Lawrence Ponemon, chairman of the Ponemon Institute LLC, a research firm that collaborated with Bloomberg on the study released today in Washington.
“The consequences of a successful attack against critical infrastructure makes these cost increases look like chump change,” Ponemon said in an interview. “It would put people into the Dark Ages.”
The study, described by Ponemon as the first to place a price tag on cybersecurity, is based on interviews with technology managers from 172 U.S. organizations in six industries and the government. Survey respondents were granted anonymity owing to the sensitivity of discussing cybersecurity weaknesses.
To achieve security capable of stopping 95 percent of attacks -- considered by the Traverse City, Michigan-based Ponemon Institute to be the highest attainable level -- those surveyed said they would have to boost spending to a group total of $46.6 billion from the current $5.3 billion.
The findings add to debate in Washington over how to compel operators of vital infrastructure to bolster their network defenses. House and Senate lawmakers are considering a series of measures aimed at thwarting hackers, spurred by high-profile assaults at companies including Sony Corp. and Citigroup Inc.
Senate Majority Leader Harry Reid, a Nevada Democrat, has said he plans to bring a comprehensive cybersecurity bill to the floor of the chamber for debate by Feb. 17.
The bill, which may be introduced as soon as this week, will mirror elements of an Obama administration proposal in May that calls for the Homeland Security Department to identify critical infrastructure and set cybersecurity standards for operators of such systems.
Obama cited the need for far-reaching legislation “to stay one step ahead of our adversaries” in his Jan. 24 State of the Union speech to Congress.
In the House, Republicans including Dan Lungren of California are pursuing several narrower bills rather than a single comprehensive measure. They favor incentives to spur companies to share cyber-threat information and better protect their networks.
The Obama administration’s cybersecurity coordinator, Howard Schmidt, said legislation that takes a limited approach to cybersecurity and is only based on incentives will “continue to expose our country to serious risk.”
“Now is the time to pass legislation that ensures the companies we rely on to power our hospitals, supply our water, support our troops and drive the economic engine of our country are adequately addressing cybersecurity risks,” Schmidt said in a Jan. 26 White House blog post.
In an event that hints at the damage of a successful cyber attack on the electrical grid, a blackout in August 2003 left an estimated 50 million people in North America without power for as long as four days and cost as much as $10 billion, according to a study by the U.S. and Canadian governments.
To achieve an ideal level of security in which 95 percent of attacks are thwarted, utilities and energy companies surveyed in the Bloomberg study would have to increase average annual spending more than seven-fold to $344.6 million per company from the current level of $45.8 million.
“If you interview power companies and say, ‘Is your control system connected to the Internet?’ they’ll say, ‘Of course not,’” James Lewis, technology program director at the Center for Strategic and International Studies in Washington, said in an interview. “It turns out in almost every case a control system is connected to the Internet and it’s vulnerable to being hacked.”
The Stuxnet computer worm, which infected industrial computer systems around the world, has raised concerns that networks running nuclear power plants and chemical facilities may be vulnerable to sabotage. Stuxnet may have been created to disrupt Iran’s nuclear program, according to a study by Symantec Corp., the biggest maker of security software.
“We have entered into a new era of combat,” Michael Hayden, former Central Intelligence Agency and National Security Agency director, said in an interview.
“The evidence of the damage that’s been done has been accumulating and changing in scale and scope,” said Hayden, a principal with the Chertoff Group, a Washington-based security-consulting firm founded by former Homeland Security Department Secretary Michael Chertoff.
A U.S. government report in November named China and Russia as the leading perpetrators of cyber espionage and said the pace of digital spying is accelerating. U.S. companies aren’t doing enough to shield their networks from attempts to steal national secrets and intellectual property, according to the report by the National Counterintelligence Executive, an advisory panel of senior U.S. intelligence officials.
The U.S. Chamber of Commerce, the nation’s largest business-lobbying group, said last month that four of its employees were targeted by China-based hackers in a 2010 security breach.
U.S. Defense Secretary Leon Panetta unveiled a strategic plan Jan. 26 that highlighted the increasing importance of cyber operations while calling for a smaller, leaner military. The Pentagon would shrink the Army and Marine Corps by about 100,000 people under the plan offered by Panetta, who told lawmakers at his June confirmation hearing that the “next Pearl Harbor that we confront could very well be a cyber attack.”
Fears of a catastrophic cyber attack may be overblown, while repeated corporate hackings may erode public trust in Web-based transactions, Dale Meyerrose, former chief information officer for the U.S. Director of National Intelligence, said in an interview.
“The biggest scare in cyberspace will be more emotional and psychological than it will be actual,” said Meyerrose, a vice president at Harris Corp., a Melbourne, Florida-based communications and information-technology provider. “People will lose trust in their ability to do banking online and their ability to buy things online and their ability to use an ATM.”
Of all the industries surveyed by in the Bloomberg study, financial services would face the steepest increase in spending to reach an ideal state of protection. Financial companies’ annual security costs would jump almost 13-fold on average to $292.4 million per company to fend off 95 percent of attacks, from the current $22.9 million, according to the study.
“The current state is woefully inadequate, and basically we need to think as a nation of how do we fix these problems before they hurt us,” Ponemon said. “Improving security requires real dollars. It’s not just simple tune-ups.”
Even an incremental improvement in computer defenses would require a significant investment, according to all of the organizations surveyed by Ponemon. To be able to thwart 84 percent of attacks, up from the current 69 percent, respondents said they would have to almost double their average expenditures on equipment and practices such as user verification systems, encryption and workforce training.
That increase would bring the group’s combined spending on security to $10.2 billion from the current $5.3 billion, according to the study. The survey polled technology managers at 124 companies, along with 48 federal, state and municipal agencies.
The cybersecurity debate echoes earlier tussles over car safety, when Congress mandated seat belts over auto-industry objections that the move would hurt their competitiveness, said Lewis of the Center for Strategic and International Studies.
“We didn’t tell the car makers to give the seat belts away,” he said. “We let them put it on the bill, the total cost of the car. We’ll need to do the same thing here.”
To limit the economic burden, policy makers should concentrate on four key areas -- energy and electrical, telecommunications, financial services and government -- needed to keep the country running, Lewis said.
Building support for cybersecurity measures is difficult because “we’re guarding against a potential,” he said.
“The pattern in the U.S. is not to do anything until there’s a disaster,” he said. “The way we’re going to find out if someone has the capability is we’ll wake up one day and the lights won’t work.”