×

The government is unprepared for a cyber attack

Computer hacker
AndreyPopov | Getty Images

On September 11, 2001, our country suffered the most devastating day in the living memory of most Americans. Nearly 3,000 innocent people died in a few surreal, nightmarish hours.

Fifteen years later, it is important to remember that the lessons of 9/11 were not only about terrorism—they were also about how national security leaders analyze dangers on the horizon, how they alert the public to the risk, and whether we are collectively able to act before those risks manifest in devastating fashion.

Before the 9/11 attacks, experts within the government recognized the danger that al Qaeda posed, but most Americans were unaware of the threat—largely because their leaders did not do enough to explain it to them. And despite the threat awareness inside government, few imagined that an al Qaeda attack would kill thousands of Americans, or that al Qaeda would use hijacked aircraft as suicide bombs.

The 9/11 Commission—on which we served—called the government's inability to foresee and prevent suicide hijackings a "failure of imagination." Unfortunately, we fear that the complacency and inaction that led to 9/11 may be repeating—not in counterterrorism, but in the cyber realm.

Electronic networks are the lifeblood of modern commerce, government, finance, and even social life. The list of high-profile breaches seems unending. Chinese-government-backed hackers have stolen the plans to dozens of our most advanced weapons systems. Iran has hacked into banks, oil companies, and even a dam in suburban New York. North Korea hacked into Sony Pictures and released reams of private data.

China, again, was behind the hack of more than 20 million security-clearance records from the Office of Personnel Management, a counterintelligence disaster for the United States. Now it appears that Russia is attempting to subvert our elections by hacking into Democratic Party organizations and leaking internal emails.

And those are only state-sponsored hacks; cyber criminals regularly steal credit card data, social security numbers, and other sensitive data from corporate systems. Perhaps most damaging, over the years Chinese hackers have stolen intellectual property worth trillions of dollars from American companies, in what former National Security Agency (NSA) Director Keith Alexander called "the greatest transfer of wealth in history."


"Leaders in government and the private sector need to explain to the public—in clear, specific terms—how severe this threat is and what the stakes are for the country. After 9/11, an engaged public helped make us safer. We need the same level of engagement to address the cyber threat."

As a nation, we are not doing enough to fix the pervasive insecurity of vital electronic networks or to deter other countries from attacking us. Government experts are aware of the threat, but are not doing enough to encourage—and help—the private sector protect the networks on which our country's security depends. We fear that it will take a catastrophic event to galvanize us to act.

There are a number of things the government can do to discourage hostile actors from attacking vital electronic networks in the United States. On the defensive side, government can create incentives for American companies and other vulnerable institutions to deploy sophisticated network-defense technologies.

These can include not just traditional security measures to keep attackers out, but also incident-response tools to mitigate the consequences when hackers get in and "active defense" tools to frustrate and expose them. Both government agencies and companies must encrypt sensitive data stored on their systems; encryption would have protected, for example, the 20 million personnel records stolen from OPM.

On the offensive side, the government can combine all elements of national power to deter and punish hostile cyber behavior. Fortunately, there are many tools available, so that response in the cyber realm is not the only option. President Obama has created a mechanism for imposing economic sanctions on malicious cyber actors.

Criminal indictments have had some effect on China's theft of American companies' intellectual property. The United States is believed to have its own highly effective offensive cyber capabilities, which can be used to retaliate where appropriate. For example, some believe that the United States temporarily knocked out North Korea's access to the Internet in response to the Sony attack. Finally, the United States reserves the right to use military force in response to certain cyberattacks.

Most importantly, however, leaders in government and the private sector need to explain to the public—in clear, specific terms—how severe this threat is and what the stakes are for the country. After 9/11, an engaged public helped make us safer. We need the same level of engagement to address the cyber threat.

One lesson of 9/11 is that lurking threats will not be adequately addressed until the public recognizes them and demands action. It should not take another catastrophic event for that to happen in the cyber realm.

Commentary by Jamie Gorelick and former Sen. Slade Gorton. Both served as members of the 9/11 Commission. Follow Sen. Gorton on Twitter @Slade_Gorton.

For more insight from CNBC contributors, follow @CNBCopinion on Twitter.