October 5, 2009 By Chandler Harris
As the Pentagon continued its development of the F-35 Joint Strike Fighter program -- the costliest weapons project in U.S. history -- news surfaced in April that for more than a year, hackers downloaded several terabytes of sensitive data from contractors' computers.
The breach was a startling realization that even the most secretive projects are vulnerable. Defense Secretary Robert Gates admitted to CBS News that the United States is "under cyber-attack virtually all the time, every day" and that the Pentagon is changing its strategy to combat and use cyber-warfare in the U.S. defense policy. Gates ordered the creation of a new military cyber-command that will defend the Pentagon's networks and conduct cyber-warfare. The Pentagon also will more than quadruple the number of security experts it employs to combat cyber-attacks.
Yet as hackers and botnets -- groups of "zombie" computers that autonomously spam the Internet -- continue to attack organizations worldwide, a prevailing cyber-security question is how to unite the public and private sectors, as well as individual computers, to fight cyber-crime.
President Barack Obama announced that cyber-security is a national priority and that he'll appoint a cyber-security coordinator. He also stated that the U.S. government would collaborate with the private sector to create a comprehensive national cyber-security policy. But he did not outline citizen involvement, which some security experts say is crucial.
"I think civilian participation in cyber-security is absolutely essential because the systems that are used in attacks and most of the systems that are attacked are owned and operated by civilians," said Susan Brenner, professor of law and technology at the University of Dayton School of Law.
Brenner believes the current system for cyber-space enforcement is outdated and based on modern criminal law that's oriented around territorial domains, which limits law enforcement. Because cyber-attacks occur from anywhere around the world, law enforcement deterrence and prevention has become very difficult.
Brenner said cyber-crime can be prevented by information sharing and coordinating response from the public and private sectors, and especially individual citizens. Since citizens are usually the ones attacked, Brenner said they should be included in cyber-security response by reporting attacks and making their systems more resistant.
Since civilians often don't report attacks to authorities, cyber-security enforcement is losing valuable information about cyber-attacks. If law enforcement and the military create a rapid flow of threat data across the public, private and individual sectors, the nation's cyber-security would be strengthened, Brenner said.
Brenner suggested a "distributed" approach to cyber-crime, where governments would require anyone accessing cyber-space to employ security measures, without infringing on civil liberties. New cyber-crime prevention laws could potentially require citizens and private- and public-sector organizations to implement tools necessary to prevent threats like identity theft, anonymous e-mail relaying and the expansion of botnets.
"People are currently the biggest flaws in cyber-security," said Joseph J. Schwerha, associate professor of business law at California University of Pennsylvania, who co-wrote an article with Brenner on cyber-crime. "Because information has to be available for people to use it, people are frankly the weak link in the chain."
Education has been the primary cyber-crime prevention strategy, with numerous organizations -- including the U.S. Department of Homeland Security, InfraGard and the United States Computer Emergency Readiness Team -- gathering and relaying information about cyber-threats. Education is essential on the individual level, Schwerha said since cyber-criminals are increasingly targeting and hijacking individuals' computers to conduct cyber-warfare and perform other malicious activities.
The National Cyber Security Alliance (NCSA) is a public-private organization that specializes in cyber-security awareness to build a national understanding about appropriate online tools and behavior.