Recently, we completed an intensive, bipartisan six-month study on cybersecurity and presented it to the Senate Select Committee on Intelligence.
Although the nature of our study requires that most of it be classified, one of our key findings is entirely unclassified, and we hope it will change the way the country acts in cyberspace.
Simply put, computer users must practice active cyber self-defense. This means that if users would allow automatic, and generally free, software updates and maintained up-to-date antivirus software, most cyberthreats could be defeated. If computer users observed these basic “rules of the road” on the information superhighway, all Americans would be safer from cyberattacks.
America’s national and economic security depends on the resilience of our nation’s information networks. Every sector of the U.S. economy and component of the U.S. government is, in some way, dependent on networked information technologies.
This ever-growing dependency makes us vulnerable to attack. To put the scale of the vulnerability in perspective, the amount of data and intellectual property stolen from U.S. business and government computer networks each year is equivalent to the entire holdings of the Library of Congress.
The intelligence community already plays a vital role in the federal government’s cybersecurity strategy.
The National Security Agency is a reservoir of unparalleled cybersecurity expertise and talent. Throughout the course of our review, we were impressed by NSA’s capabilities and its commitment to protecting civil liberties.
Cybersecurity, however, is not just an intelligence issue. Our intelligence and defense agencies have a vital role to play, but citizens can do a lot to protect themselves and the country from cyberthreats.
About 20 percent of all malicious internet activity in the world originates from computers in the United States — three times more than any other country. Much of this activity is directed by hackers known as “bot-herders,” who hijack and organize computers into virtual armies of “botnets.” Bot-herders are often in foreign countries, and they use botnets to send out massive amounts of spam, often with malware attached, in the hopes of stealing online banking passwords or other personal information, and acquiring more bots.
Botnets can also carry out crippling attacks against Web servers by overwhelming the server with requests. Your computer may be doing this right now, without your knowledge.
Most of the malware used to hijack computers and steal personal information, however, is recognizable to antivirus software. Many times it exploits vulnerabilities for which fixes, or patches, exist but have not been applied.
For example, according to a recent report by Symantec, one-third of all internet attacks between April and June 2010 sought to exploit a vulnerability in Microsoft Internet Explorer for which a patch has been available since 2004. The attack remains popular with hackers because six years later, many computers are still not patched.
Americans can protect each other with routine maintenance. We need a national public awareness campaign that educates Americans about the theft, piracy and espionage happening everyday on the “Wild, Wild Web.”
Americans need to know that a conscientious computer user should no more travel the information superhighway with antiquated antivirus software and security vulnerabilities than a responsible driver would hit the road in a car with bad brakes, no seat belts and worn tires.
Some cyberthreats can evade or defeat many commercially available defenses. Determined nation-states and the most capable criminal syndicates are aggressively probing our nation’s information systems for vulnerabilities, stealing our intellectual property and spying on the U.S. government and U.S. businesses, using advanced techniques that cannot be defeated without the intelligence community’s unique authorities and capabilities.
But Americans could protect themselves and reduce the overall volume of malicious activity by practicing active cyber self-defense, following the rules of the road and enabling the federal government to focus its efforts on high-level cyber threats that demand a federal response. The federal government needs to get out the message.
