U.S. at risk of cyberattack

The Internet is a marvel of American ingenuity, and by now practically every vital U.S. system -- from the power grid to the banking system -- depends on it.

But this great source of innovation and economic growth is also a great source of weakness, because the Internet wasn't created to be secure. It's anonymous, it eradicates distance, and most of all, it's open. Anyone can get on, and if someone develops some harmful software, anyone else can use it.

As a result, cybersecurity is a huge and growing national problem. Every day seems to bring some new cybercrime; most so far are malicious or profit-oriented, but Internet espionage is widespread too, aimed at both state secrets and valuable intellectual property.

So when Chinese hackers recently tried to steal the passwords of White House officials, along with those of activists and others, it was hardly an isolated incident; Google and 80 other U.S. technology companies were attacked from China only last year.

And it isn't only China. Congress and federal agencies are attacked 1.8 billion times a month. An FBI-linked consortium that tracks cybercrime closed its website after hackers exposed the user names and passwords of its members.

Short of war, nations are unlikely to launch serious cyberattacks for fear of real-world retaliation, but cyberterrorism is something else again. The Internet is ideal for it, offering individuals a way to do great harm from far away at low cost, possibly without detection.

Despite some half-steps by the Obama administration, our country is woefully unprepared to ward off or cope with such assaults. On top of all this, China and other countries are building their capacity to do battle in cyberspace in the event a full-blown conflict should erupt. "The next Pearl Harbor that we face," Leon Panetta, the president's nominee for secretary of defense, said at his Senate confirmation hearing last week, "could well be a cyber attack."

The United States isn't idle; some experts believe we had a hand in Stuxnet, the virus that disrupted Iran's march toward nuclear weapons. Yet the success of Stuxnet demonstrates the magnitude of our challenge in securing our own vital networks from attack. Doing so is complex in part because the vast majority are in private hands.

No computer is impregnable while connected to the Internet. Yet computers and networks can be made hugely more secure if we invest the effort. The most important element required is concerted government action.

Unfortunately, Washington hasn't established coherent high-level leadership on cybersecurity. And laws haven't kept up with fast-moving technology. Security expert Bruce Schneier and legal scholar Michael Scott, for instance, want to make software makers liable for the security of their products, just as makers of lawn mowers and toys are liable when their products cause harm. Scott sees firms whose networks are breached as victims, and figures the tort system can improve the safety of code as effectively as that of cars.

Other experts urge Uncle Sam to mandate minimum security standards for critical systems such as power, finance, telecommunications and government. Better protection for consumer data will take legislation as well.

We need more trained cybersecurity experts and more research, particularly on how the Internet's architecture might be made more secure. The government can also use its buying power to demand more secure software and hardware, which could then be available for private-sector users. Finally, since the Internet ties nations together, improving cybersecurity will take international cooperation -- on standards, law enforcement and establishing norms as well as consequences for noncooperation.

Free societies are always vulnerable to attack, especially when technology allows small groups to achieve large effects. But there is a lot we can do to protect ourselves from potentially devastating attacks that could lead to serious loss of life. It would be tragic if another 9/11 -- this one initiated in cyberspace -- were needed for us to act. hN