Security expert: More sophisticated attacks likely

WASHINGTON - The cyber attacks of recent years have been relatively unsophisticated and inexpensive compared to the potential of organized attacks, a cybersecurity expert said Tuesday.

Organized attacks by teams of hackers that have members with expertise in business functions and processes -- as well the rudimentary access and coding expertise that many current attackers have -- could have a huge impact on a nation's economy, said Scott Borg, director of the U.S. Cyber Consequences Unit, an agency supported by the U.S. Department of Homeland Security.

"We will probably see terrorist groups, criminal organizations putting together combinations of talent," Borg said at the E-Gov Institute's Security Conference in Washington, D.C.

While past cyber attacks have done relatively small amounts of damage -- Borg believes estimates of damage from some viruses and worms have been overstated -- coordinated attacks on important targets such as the U.S. electrical grid, the banking and finance industry, or the telecommunications and Internet industries could potentially cause many billions of dollars in damage, he said.

Most viruses and worms knock out company networks for two or three days at most, but costs would multiply quickly for any coordinated attack on a critical U.S. industry that knocked out service for more than three days, said Borg, an economist. "You get gigantic numbers really fast," he said of a sustained attack.

Less pessimistic was Howard Schmidt, a former cyber security executive with eBay Inc. and Microsoft Corp. and former White House cyber security advisor.

Most companies doing business online have begun to understand cybersecurity, Schmidt said. "How many of you have really had a problem on the Internet?" he asked. "I don't know what people are talking about when they say urgent action is needed."

Cybersecurity vendors and Internet service providers are doing a good job of protecting customers from scams involving identity or credit card theft, Schmidt said. Identity theft and phishing e-mail probably won't be the major cybersecurity issues in coming years, he said.

Online businesses are also doing a better job of preventing denial-of-service attacks, Schmidt added. "I don't know of one I've heard of recently that's been successful," he added.

But Schmidt suggested that criminal hackers will be a major problem in coming years, as will mobile device security. Security professionals have a "window of opportunity" to improve wireless security before networked devices become ubiquitous, he said.

Borg also indicated that denial-of-service attacks won't be the wave of the future. Denial-of-service attacks and the viruses and worms are adolescent compared to the potential of attacks in coming years, he said.

"We're talking about what grown-ups could do if they were supported by an organization, if they were interested in inflicting serious economic damage, if they were well-supplied with expertise," Borg said.