Preventing a "cyber 9/11" will require unprecedented collaboration between the government and the private sector, cybersecurity experts said Thursday.
A panel of experts discussed the emerging digital threats facing the nation’s critical infrastructure during the event at the Woodrow Wilson Center. Communications, transportation, and energy systems such as pipelines and hydroelectric plants are increasingly moving their networks online, where they are more vulnerable, they said.
The private sector must assume a greater role in protecting the security of those networks because a majority of the nation’s infrastructure is owned by private companies, said Janet Napolitano, secretary of Homeland Security, in a speech before the panel discussion.
Yet neither the government nor the companies have embraced the need for the partnership, which does not typically exist in matters of national defense, intelligence gathering or local law enforcement, she said.
"I don’t think we have yet to come to closure on whether this is an appropriate thing to have in terms of a shared responsibility rather than just the government being responsible," she said.
"This is really the first time in our nation’s history that we’ve approached a major security problem in this way."
Private companies are wary of regulations that would restrict their access to revenue sources and prove too costly or unrealistic, said Francis Taylor, vice president and chief security officer for General Electric.
Any standards that must be implemented by private industry in a cybersecurity framework, which must be developed by October as part of an executive order issued by President Barack Obama, should be based on rational discussions and not "threat mongering," he said.
However, recent events indicate that cyber threats remain very real and will only intensify in the coming years, said former Secretary of Homeland Security Michael Chertoff.
The Chinese continue to steal massive amounts of U.S. intellectual property, he said, and the cyberattack on Saudi Arabia’s national oil company Aramco last year could have endangered a tenth of the world’s oil supply.
"We have to tell the private sector to accept the fact that government is going to have to be involved in your network," he said. "The question is whether it’s the U.S. government or the Chinese government."
Private citizens should also be willing to shoulder some of the security burden by paying higher electricity bills, for example, to prevent the loss of critical infrastructure during attacks as damaging as natural disasters like Hurricane Sandy, said Stephen Flynn, founder and co-director of the George J. Kostas Research Institute for Homeland Security at Northeastern University.
When asked whether the improvement of cybersecurity for infrastructure could be hampered by recent revelations about the NSA’s surveillance of phone and Internet data, Chertoff said the public must realize that these programs are vastly different from the counter-terrorism ones. Nonetheless, addressing growing cyber threats necessarily results in a trade-off with privacy, he said.
"There are structural changes in our society with the availability of big data in the private sector that are not going to be rolled back," he said.
"We need to be honest about it."
Still, government could garner credibility for cybersecurity programs by being more transparent, Flynn said.
"There are some things that clearly have to be closed, but the government is starting to realize that it needs to err on the side of openness when dealing with these problems," he said.