Last year came the bald warning from Defense Secretary Leon Panetta of the possibility of a "cyber Pearl Harbor" – perhaps perpetrated by an enemy nation, extremist hacktivist groups, or cyber-savvy terrorists – that could be destructive enough to "paralyze the nation."
The threats originate from any number of sources: the lone hacker in the basement, networks of activists bent on cyber-monkey-wrenching for a cause, criminal gangs looking to steal proprietary data or money, and operatives working for nation-states whose intent is to steal, spy, or harm.
But at the Pentagon, attention these days is focused on the advancing cyberwar capabilities of China, Russia, and, especially, Iran. Iranian-backed cyberattackers, who in September targeted nine US banks with distributed denial-of-service attacks that temporarily shut down their websites, were testing America's reaction, Dr. Lewis says. The same kind of attack took place in December.
All the multiple attackers with various motives – and multiple targets – make defending against cyberattacks a challenge. Government agencies, the Pentagon, and defense contractors seem to have gotten serious and have greatly beefed up security. Companies' spending data also indicate an apparently growing awareness of the threat, with cybersecurity expenditures increasing.
But that's hardly enough, cyber experts such as Lewis say. Critical infrastructure needs to have its cybersecurity tested to ensure it's adequate, he and others say.
"Like anything else in America, there's a large, noisy debate driven by business interests and hucksterism – people shouting about cyberattacks," Lewis says. "But the situation is clearly serious. Our vulnerabilities are great. I recall our first CSIS meeting on cybersecurity in 2001. At that time, we agreed that if nothing significant was done to change things in a decade, we'd be in real trouble. Well, here we are."