The nation's top national security leaders have convinced President Obama and much of the leadership in Congress that the U.S. is at risk of a "Cyber Pearl Harbor" or "Digital 9/11" if it does not take drastic measures to improve both defensive and offensive cyber security capabilities against hostile nation states.
But the leaders, Defense (DoD) Secretary Leon Panetta and Homeland Security (DHS) Secretary Janet Napolitano have not, however, convinced every expert in the cyber security community, and there is now some increasingly vocal push-back from some of them.
[ Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Critics argue argue that not only is the threat of a catastrophic cyber attack greatly exaggerated, but that the best way to guard against the multiple risks they agree exist is not with better firewalls or offensive strikes against potential attacks, but to "build security in" to the control systems that run the nation's critical infrastructure.
Bruce Schneier, author, Chief Technology Security Officer at BT and frequently described as a security "guru," has not backed off of his contention made at a debate two years ago that the cyber war threat "has been greatly exaggerated." He said that while a major attack would be disruptive, it would not even be close to an existential threat to the U.S.
"This [damage] is at the margins," he said, adding that even using the term "war" is just a, "neat way of phrasing it to get people's attention. The threats and vulnerabilities are real, but they are not war threats."
Gary McGraw, CTO of Cigital, recently argued that while existing control systems are "riddled with security vulnerabilities" since they are outdated and were not designed with security in mind, trying to protect them with a preemptive attack against a perceived threat would be both dangerous and fruitless.
McGraw, who has been preaching the "build-security-in" mantra for years, is highly skeptical of claims that government is now much better at "attribution" -- knowing exactly who launched an attack.
"If they have solved it, they need to tell us hard-core security people how they did it, because we don't really believe them," he said, noting that a major retaliation against a party that didn't launch an attack could be more catastrophic than the initial attack. "Proactive defense," by eliminating the vulnerabilities in the control systems, is a much better approach, McCgraw argues.