06.10.11

The Cyberthreat We’re Staring Down

Citibank, Sony PlayStation, Lockheed Martin, Gmail—it seems every day a new company is hacked, but instead of talking about or removing a threat that could cripple our government, we’re obsessing over Weinergate.

When are we finally going to answer the wakeup call?

For the past few weeks, almost every day has brought a new report of cyberhacking. Thursday was Citibank, which acknowledged that more than 200,000 credit card customers had their personal information stolen. Before that was defense contractor Lockheed Martin, targeted through a cyberattack on the maker of SecurId tokens that were supposed keep its computers safe. Then there’s Sony, the victim of multiple attacks including one that shut down its PlayStation Network for weeks, and Google, where an attack apparently originating in China targeted the Gmail accounts of U.S. government officials.

And yet each story pops for a news cycle or two and dies off, dribbling into the inside pages of newspapers and barely meriting a mention on television news. Instead we get endless chatter about the debt ceiling and the potential Republican presidential field—neither of which is remotely as urgent as the cyberthreat we’re staring down right now. And don’t even get me started on Weinerama. Here we are facing potentially the biggest threat to this generation, and we’re sidetracked by crotch shots on Twitter.

Sony’s chief executive, Howard Stringer, in his first public comments about the Sony hacking, tried to sound the alarm bell. He told The Wall Street Journal last month that “It’s the beginning, unfortunately, or the shape of things to come. It’s not a brave new world; it’s a bad new world.”

I spoke recently with Gary Kelly, CEO of Southwest Airlines, who shrugged off my question about cybersecurity, noting his customers’ data have never been breached and his major concern is fuel prices.

But is anyone listening? One measure is press coverage, where his battle cry comes up woefully short: a Google News search Thursday turned up almost three times more results for “Weiner photo” than for “Citi hacking.”

Nor is corporate America rallying. I spoke recently with Gary Kelly, chief executive officer of Southwest Airlines, who candidly addressed a whole range of issues but shrugged off my question about cybersecurity, noting his customers’ data have never been breached and his major concern is fuel prices.

That’s a fairly typical attitude among companies that haven’t been hacked. Yet all are vulnerable. A cyberterrorist could ground every airline, for instance, by targeting the Transportation Safety Administration’s computer system, disrupting airport security screening. Even more frightening are potential cyberthreats to basic infrastructure such as the electrical grid and the Internet that would paralyze not just consumers but government and the military.

And while few companies talk about it, security experts believe the tech supply chain is more vulnerable than we’d like to believe. Virtually every major tech company has components manufactured abroad, often in China. No matter how good the security and oversight there, it isn’t perfect. In what sounds more like spy-novel territory, a top tech executive recently told me that’s what he loses sleep over: that China could track or even put sleeper controls in the components it is shipping to the U.S.

The Pentagon intends to classify cyberattacks originating in another country as an act of war. But rules governing companies are murkier. It isn’t clear when companies need to disclose cyberbreaches—or even if they have to disclose them at all. Citi is being roundly criticized for waiting until this week to acknowledge the attack that compromised its accounts last month. Sony also has been hammered for waiting almost a week to notify Playstation Network users of the breach in April.

Calls for legislation are mounting, though so far with little effect. Sen. Patrick Leahy (D-VT), the Judiciary Committee chairman, introduced legislation this week—for the fourth time—that would impose federal law requiring companies to notify customers of cyberbreaches.

We’re staring at a major, systemic issue, one that is more important than almost any other we’re talking about in the run-up to the 2012 election. So here’s a chance for the media, CEOs, and politicians not to blow it. This is one story line that shouldn’t be buried with the next news cycle.