Around the globe, laws are too weak to deter cyberattacks and countries are incapable of preventing attacks. Those pessimistic findings are among the results of a worldwide survey of industry executives funded by McAfee and conducted by the Center for Strategic and International Studies (CSIS).
The study, In the crossfire -- Critical Infrastructure in the Age of Cyber War, surveyed 600 executives and talked to dozens of security experts. The executives were questioned about their practices, attitudes and policies on security, the impact of regulation, their relationship with government, specific security measures employed on their networks, and the kinds of attacks they face, McAfee said.
The respondents indicated that government does have a role to play in cybersecurity, which is a change in industry thinking. "I have sensed for a year or more that industry, which used to think that the government didn't need to get involved, doesn't have any confidence that they can solve this problem on their own," said Stewart Baker, a distinguished visiting fellow at CSIS and a partner at law firm Steptoe & Johnson.
General Support for Regulation
Government regulation has "sharpened [corporate] policy and improved security," according to 58 percent of the respondents. But opinions varied widely by national politics. In China and Germany, more than 60 percent supported government regulation, while few in Italy and Australia did.
Globally, public-private partnerships have not taken off, with only a third of respondents saying they are participating. In the United States, where participation is higher, many executives voiced concern about "information sharing being a one-way street," the report found.
The survey results come just two weeks after Howard Schmidt took the reins as U.S. cybersecurity chief. In an interview after his first public appearance, at the State of the Net conference in Washington, Schmidt honed in on the China-based breach of Google. "I think everybody in the world who's in the security business is thinking about or working on that issue right now," he said.
Where Was the Cyber Czar?'
But at the time Google announced the breach, the cybersecurity czar didn't exactly jump into the issue, Andrew Storms, director of security operations at nCircle, said in an e-mail. "Where was the cyber czar? All we got from our government was Secretary of State Clinton making a few remarks. This response signifies that cybersecurity is much more of a diplomacy problem than a security problem," Storms said.
And there's little nations can do to stop international cyberattacks, Storms said. "So long as the attacker is on American soil or is a U.S. resident, then we have a clear
path of law enforcement with the FBI," he said. "Otherwise, U.S. companies are pretty much left to fight the war on their own and plead with government agencies for assistance."
"No amount of laws will deter cyberattacks from abroad," Storms added. "When attackers are
caught, it is still so seldom that any one of these events makes front-page news."
Measuring Cyber Cost
Companies and individuals should not expect government to provide much help, Storms said.
"When it comes to protecting yourself, your company, and your property from cyberattacks, the first line of defense still rests with yourself. The companies responding to the survey all feel the same, as noted by their pessimistic responses," he added.
The survey found the cost of downtime from major attacks exceeds $6 million per day -- more than $8 million a day in the oil and gas sectors. More than a third of the respondents think the threat is growing, and two-fifths of IT executives expect a major cybersecurity incident in their sector within the next year, the survey found.
"Governance issues are paramount in any discussion of network security for critical infrastructure," an executive report concluded. "For owners and operators, their relationships to governments are a key factor in how they handle security. For governments, that relationship is crucial for the defense of national assets. In the absence of technological silver bullets, many executives see regulation -- despite its
drawbacks -- as a way of improving security."