US would lose a cyber war, warns military

Experts stepped forward to warn the Senate Committee about cyber attacks

A former US director of national intelligence has warned the Senate that the US would lose an online war if it were fought today.

Mike McConnell, director of national intelligence from 2007 to 2009, and a retired US Navy vice admiral, told a hearing on cyber security held by the Senate Committee on Commerce, Science and Transportation on Tuesday that the US certainly faces an online attack and is unprepared to defend itself.

"If we were in a cyber war today, the US would lose. The federal government will spend more each year on missile defence than it does on cyber security, despite the fact that we are attacked thousands of times each day in cyber space and are vulnerable to attacks of strategic significance," he said.

"We are the most vulnerable. We are the most connected. We have the most to lose."

McConnell, who is now executive vice president of Booz Allen Hamilton's National Security Business, said that a major online attack will definitely happen in the future, and that the poor performance of the US will force the government to get involved.

The Senate Committee also heard from Dr James Lewis, senior technology fellow for at Center for Strategic and International Studies, who said that the fundamental systems behind the internet and e-commerce would have to be rethought.

"The internet was not designed to be secure. The rules and contracts put in place when it was commercialised were not written with security in mind," he said.

"So the issue for the nation is how to bring law to the Wild West, how to move from a do-it-yourself homebrew approach to cyber security, and how to secure a global digital infrastructure on which we now depend. Legislation like the Cybersecurity Act of 2010 can play a crucial role."

The hearings were convened to discuss the Cybersecurity Enhancement Act, which passed through the House of Representatives this month with a huge majority and is now up for Senate consideration.

The new laws would set minimum standards of security for companies operating parts of the US critical infrastructure, and set official standards for computer security professionals. The bill would also see $94m (£61m) set aside to fund security research, something that is desperately needed, the committee heard.

"We need to change our collective mindset so that elements of critical cyber infrastructure are designed, developed and delivered to be secure," said Mary Ann Davidson, chief security officer at Oracle.

"We do that in part by changing the educational system so that we have a cadre of people who know that critical cyber infrastructures will be attacked, and who build accordingly and defensively."