2

Who pays the bill for a cyber war?

U.S. President Barack Obama (C) arrives at the U.S. Capitol for a meeting March 13, 2013 on Capitol Hill in Washington, D.C.

The growing threat of cyber attacks has put business on the front lines of national security. Today, President Obama met CEOs of American defense and technology companies -- in the Situation Room, no less -- to discuss how companies and the government can work together to bolster digital defense. The meeting followed warnings from intelligence, defense and counter-terrorism officials that cyber security could pose as big a threat as terrorism.

One clear impact of the White House cybersecurity push is pressure on business to do more. Stewart Baker, a former senior official at the Homeland Security Department and National Security Agency, says he just met with Silicon Valley execs who are feeling the heat.

“Their boards of directors are asking questions about their cybersecurity and whether they’ve had intrusions and how they’ve responded to them,” says Baker, who is now a partner at Steptoe & Johnson. “And that’s a direct result of the kinds of publicity we’re seeing for these attacks.”

Whether it’s companies or governments, figuring out the right budget for digital defense is tricky. They never really know when they’ve spent too much. And they only know if they’ve spent too little when they get hacked. Experts don’t even agree on how much is actually being spent now.

"One number says annual global spending on cybersecurity is $18 billion. Another number says it’s $60 billion," notes Jim Lewis, a senior fellow at the Center for Strategic and International Studies and a former State Department official.

Cybersecurity analysts say a lot of the money spent on digital security is wasted. In some cases, companies aren’t even doing the simple things right, unsexy stuff like managing passwords and updating software.

“This is not rocket science. That’ll remove about 80 percent of the successful attacks," Lewis says.

Then there’s the question of who foots the bill. America’s top cyber commander said yesterday there have been 140 attacks on Wall Street firms in the past six months. An attack on a large American company could damage the entire American economy. So companies argue the government should take more of the burden.

“There’s a sense that you want the government to come in and secure the cyber borders the same way the physical borders are secured,” says Tom Field, a vice president at Information Security Media Group, a cybersecurity trade publisher.

Field hears from a lot of execs frustrated that the government isn’t doing enough. On the other hand, taxpayers may not be too thrilled to pay for the security of private companies. We may not know what the tab will be, but it won’t be cheap.

Kai Ryssdal: The White House calls. Says the president wants you to come for a meeting. You get there this morning. They take you downstairs. Maybe way downstairs. People swipe their ID cards. Maybe there are biometric measuring devices.

All of a sudden, some door whooshes open -- and you're in the Situation Room. The real one -- not the one with Wolf Blitzer. You and a bunch of fellow defense and technology company CEOs there to talk cybersecurity.

This has been a week heavy on digital threats in Washington. Intelligence, defense and counter-terrorism officials have been sounding the alarm in speeches and on Capitol Hill. Today, the White House welcomed Beijing's willingness to hold talks on cyber threats.

But in the meanwhile, there was that meeting in the Situation Room. Marketplace's Mark Garrison has more on business at the front lines of national security.


Mark Garrison: One clear impact of the White House cybersecurity push is pressure on business to do more. Attorney Stewart Baker is a former senior official at the Homeland Security Department. He just met with Silicon Valley execs who are feeling the heat.

Stewart Baker: Their boards of directors are asking questions about their cybersecurity and whether they’ve had intrusions and how they’ve responded to them. And that’s a direct result of the kinds of publicity we’re seeing for these attacks.

America’s top cyber commander said yesterday there have been 140 attacks on Wall Street firms in the past six months. Whether it’s companies or governments, figuring out the right budget for digital defense is tricky. You never really know when you’ve spent too much. You only know if you’ve spent too little when you get hacked. Experts don’t even agree on how much is being spent now.

Jim Lewis: One number says annual global spending on cybersecurity is $18 billion. Another number says it’s $60 billion.

Jim Lewis is a cybersecurity expert at the Center for Strategic and International Studies. He says for all they spend, companies aren’t even doing the simple things right, boring stuff like managing passwords and updating software.

Lewis: This is not rocket science. That’ll remove about 80% of the successful attacks.

So, who should pay? Companies argue the government should take more of the burden. Tom Field is VP at Information Security Media Group, a trade publisher. He hears from a lot of frustrated execs.

Tom Field: There’s a sense that you want the government to come in and secure the cyber borders the same way the physical borders are secured.

Of course, taxpayers may not be too thrilled to pay for the security of private companies. We may not know what the tab will be, but it won’t be cheap. In New York, I'm Mark Garrison, for Marketplace.

About the author

Mark Garrison is a reporter for Marketplace and substitute host for the Marketplace Morning Report, based in New York.
Log in to post2 Comments

This story makes me apoplectic. Companies are not even willing to take the most basic steps to protect themselves but they expect the government to come rescue them at taxpayer expense! These are the same people yelling that they are paying to much in taxes and that we need smaller government. The government is already cutting services, where do they expect this help to come from? How would these new bills going to get paid? Yet because they have to do something that doesn't add to their bottom line they expect everyone else to pay for it so they can keep their profits up and cash in their stock options.

Do these people not understand their responsibilities? They don't want the government to interfere in their business, they don't want the government to tell them what to do, they don't want to pay their fair share of taxes, they don't want to take care of their workers health or properly fund their retirements, they don't want to pay for government safety nets for the workers who's jobs they off shore but then they expect everyone else to pay to keep their businesses safe.

What the .....?!!

If the government wants to beef up the country's cyber infrastructure, it needs to stop talking from both sides of its mouth. On one hand, they shout that the sky is falling. On the other hand, government agencies (I assume the CIA, the NSA, the military, etc.) are buying zero-day exploits on the open market for use as weapons in their own cyber attacks. Because fixes for these security bugs aren't getting back to the hardware and software manufacturers, US companies suffer, too. Congress could do something useful here and pass a law outlawing the open sale of security bugs and also preventing the government from being a buyer. Put a target not just on the Chinese and the Russians, but also these "arms merchants"...both the individuals and the means by which the exploits are traded. After all, we shut down web sites selling stolen credit card data, don't we?

BTW, bills like CISPA, which was reintroduced recently in the House, aren't the answer. I would love to see the government share more cyber security information with businesses, but not at the loss of customer privacy that CISPA would allow (i.e. making and end-run around longstanding privacy laws like the Wiretap Act). I voted for the President and I agree with him on most issues, but when it comes to civil liberties, Obama is severely tone deaf. Am I right in thinking that he failed to mention civil liberties even once during his inauguration speech and the State of the Union?

With Generous Support From...