The US is unprepared to deal with a major cyber emergency. That’s the conclusion of a new report from the Business Roundtable, a group of 160 CEOs from the nation’s largest companies. Their concern about the issue is largely economic, since the Internet is now a key element of so much business activity. The group spent the last year looking at Internet safety and disaster recovery and concluded that a major strike (involving hackers, malicious software, natural disaster, or physical attack) on the basic fabric of the Internet could bring the US economy to a halt.
The Hurricane Katrina disaster was a wake-up call to Americans who believed that the country’s wealth, ingenuity, and “can-do” attitude could fix a problem of any scale in a short period of time. The reality of the situation was that without preparation and proper coordination, even the US was incapable of responding to a disaster in a timely fashion. That lesson was not lost on the Business Roundtable; Katrina is cited several times in the report.
"Lessons learned from Hurricane Katrina suggest that political and business leaders must consider, in advance, how they intend to respond prior to and in the aftermath of a major cyber disruption."
After discussing the economic importance of the Internet (hint: it’s enormous), the report identifies three “cyber gaps” in the nation’s Internet defense system. First up is the lack of formal “trip wires” that would let people know that an attack is in progress. Just as the National Weather Service alerts communities to the presence of hurricanes before they strike, the US needs to have better mechanisms in place for identifying a major Internet attack in its earliest stages. This is especially important because Internet attacks can unfold so much faster than natural disasters.
The second weakness is a “lack of accountability and clarity” about who does what. The report notes that current Internet safety is presided over by a mishmash of government and private-sector organizations with “unclear or overlapping responsibilities.” In the event of an emergency, it’s not always obvious who would be responsible for certain aspects of service restoration. The report again points to government agencies that take the lead in other areas—the National Weather Service for storms and hurricanes, the Centers for Disease Control for infectious disease. The Internet needs the same level of leadership and coordination.
Finally, the report identifies a lack of resources given to existing organizations such as the US Computer Emergency Readiness Team (CERT). They note that CERT currently has a budget of US$70 million a year—less than 0.2 percent of the overall Department of Homeland Security budget—and that little of the money is set aside for reconstruction and disaster management.
It’s not a pretty picture, but the report does provide some hope by outlining a series of recommendations for change. Most of these involve better coordination between government and industry groups, establishing a single point of contact for interaction with the government and working out a way to share information in advance of a disaster (this of course is trickier when the Internet is not functioning). Note that the report does not advocating leaving the task to the government. Although the government can play a useful role, businesses want to be involved—and understandably so—in something so central to their continued existence.
The bottom line is that government and industry need to be ready to work together in the event of an attack or major outage. By preparing now, lives, money, and time could all be saved somewhere down the Information Superhighway.