Houston, We Have a Problem: Meeting the Threat of Cyber Vulnerability

"Houston, we have a problem" was a classic American understatement. When Apollo 13 was in desperate straits, we saw technologists coming together, harnessing their ingenuity and empowered by government, to turn things around in a moment when disaster in outer space was approaching inevitability. Today, America has a problem with the potential of disaster approaching inevitability in cyber space, and the vulnerability remains open and unaddressed. The American people feel as invulnerable as an earlier generation had felt about space travel when that voice came over the air to mission control and everyone held their breath as the scientists and engineers staved off disaster.

We have not heard a similarly understated voice telling us that America is stunningly vulnerable to cyber attack and calling us to immediate action. Instead, we now have corporate leaders and senior government officials wring their hands telling us about risks, showing more of a cover-my-ass approach to which leaders can point in a moment of failure than proposing and implementing concrete steps preventing what is otherwise an approaching inevitability.

The current government leadership approach to Internet security is akin to a morbidly obese patient addressing his condition with strong words and unaltered conduct; simply understanding risks will not defeat what is otherwise an inevitability to come without hard, direct, and quick action. Recent government proposals for outsourcing government data to third party servers and cloud computing, where the data sits in a figurative cloud accessible only through the Internet, simply make no sense because these concepts only increase our national vulnerability to a coming storm.

There are several steps that America can take, now, to limit exposure to the inevitability of cyber attacks that will upend our lives as we know them.

First, there is a need for a quick survey by the Obama Administration and implementation by executive order of a Securenet - the creation of a secure cyber infrastructure, separated from the public Internet, that would connect mission critical computers that control civilian systems (e.g., the electric grid) that are too important to fail.

Presumably the military has figured this out for its own command and control, and has created a separate network that can function at some level if the Internet crashes. Unfortunately, crucial civilian infrastructure such as water supplies, the electric grid, traffic controls, and civilian homeland security are not covered, and these are examples of systems that are open to cyber sabotage. Command and control of civilian systems that are too important to fail in case of an Internet crash is something that also must be maintained in a society subject to cyber attack, and this must be addressed before a disaster has occurred.

We have come to rely on the Internet for every manner of our lives. That means we have come to lean on a tree trunk that might be hollowed out by our enemies without our having a clue of this having taken place before it crashes under our weight. In an era when we are engaged in both real and virtual warfare with enemies that operate through sophisticated organizations and also as lone wolves preying on our vulnerabilities, this is no longer acceptable.

The Internet can be attacked by anyone having access to it, and this access is available to anyone around the globe. People sitting at computer screens in hostile nations can do us harm, but also people who can be sitting down the street or in other free societies as they plot cyber terrorism as surely as an attack on a London subway.

Taking vital infrastructure systems off the Internet and placing them on a separate secure network that is accessible only to users who have been cleared by the government and permitted limited, monitored use of this dedicated network can significantly diminish one of the greatest vulnerabilities to cyber attack. We reasonably estimate that the cost of creating such a network is $20-100 Billion, to lay fiber and connect to a central hub, with redundancy to assure robustness.

This is not about use of the Internet as a tool for entertainment, cyber shopping, or transmission of information. It is about preserving the kind of computer controls that are communicated online and keep trains on tracks and cars from colliding at intersections, or not. This is a question of preserving a cyber infrastructure that controls physical infrastructure, and it is too important to leave open to those we know wish us ill.

Online infrastructure that must remain on the open Internet remains freighted with the Internet's inherent vulnerabilities as an open network, and our risks increase as we become more reliant on the Internet. This is a particular challenge because computer users are now storing part or all of our data on remote servers that can only be accessed by our home or office computers through the Internet, so our access to that data and the applications with which we manipulate it is limited by accessibility to a functioning Internet. As we have taken television transmission and moved it from the air to cable, we have also increased the vulnerability of television broadcast communication to interruption. As we have taken voice communication and moved it to Voice -Over-IP, we have moved from a dedicated telephony network to the Internet and increased the vulnerability of phone service to interruption. If the Internet is compromised we will soon be nostalgic for rabbit ears and the handful of channels that predated HDTV.

While we cannot make a public network as secure as a private one, we can both increase its security and maintain the redundancy of physical infrastructure that leaves us with backup in the event of Internet interruption, or eradication of preserved data.

One way to take action to address this ongoing vulnerability of the Internet is in the way Congress has tried to take vital roles and put them beyond partisanship by creating term appointments for the Chairman of the Federal Reserve and Commissioner of the Social Security Administration. A Commissioner of Internet Security who is a networking expert can have a mandate to both preserve the security of our communications and the freedom of expression that is at the core of a free society. It's a tall order, but it isn't the job description for the IT professional deciding how to make government services more customer-friendly, or make government behave like a business. If we allow the Internet to be undermined, we will have neither free speech nor the economic engine that cyber communication represents, and we won't be comforted that the White House had had a website as cool as Facebook was. We cannot presume that our traditional intelligence operatives, or business leaders, will translate knowledge and skills developed in their arenas into protecting the free-wheeling, free-expression world of the Internet.

In modern life we have, significantly and increasingly, abandoned print media to express the same thoughts with words published in digital format instead of print. We have to be concerned with what happens if that free press is shackled, either because we shut up free expression, or more likely because it is shut up for us by an interruption of online publishing. Few things would undermine our society more fully than closing down our media and communications through the Internet, and the threat is real.

The message of Apollo 13 was not only to recognize that we have a problem, but that we will calmly fix it. Today, we have a problem with cyber security that is quietly moving toward a disaster, but the fact that we have the problem does not mean that we do not have the capacity to meet it. The success or failure of this generation of American leadership will ultimately be judged not on the items at the center of public debate in this moment, but on how they confront this quietly brewing infection that stalks our future as surely as the Nazi threat stalked the Thirties.

Mark A. Shiffrin, a lawyer, is a former Connecticut State Consumer Protection Commissioner and Deputy General Counsel of the U.S. Department of Education. Avi Silberschatz is Sidney J. Weinberg Professor and Chair of the Computer Science Department at Yale.