When you see what makes it onto the evening news, would you say the worry about U.S. vulnerability to cyberattack is exaggerated? Or are we not worried enough?
I would say it’s exaggerated. Things have to be taken in perspective, and if you look at the billions of transactions that take place online every day, whether it’s e-commerce [or] watching online videos [or] online banking, there’s a tremendous amount of really wonderful, rich robust things that are taking place. But like anything else, the things that make the news are the things that aren’t working well.
In an interview with Wired, you said you didn’t think it was “realistic” for hackers to get into the U.S. power grid. But in light of the successful attacks we’ve seen recently against well-protected targets, how confident are you?
There are no absolutes in security—we’ve seen that in the history of humankind.Is there potential for somebody to get into some segment of the grid? Absolutely. We’ve seen that, we’ve reported it, we’ve had law enforcement investigating it. Catastrophic failure is still the part that I don’t believe is likely, and anybody who intends to try to do that is probably going to meet more resistance than they’re prepared for.
Hundreds of Internet activists recently mounted cyberattacks on companies like MasterCard and Amazon because they had ended their affiliation with WikiLeaks. How dangerous could this kind of action be?
We’ve seen over time [street] protests in cities that shut down traffic, and this is not dissimilar in the online world. There may be a disruption for a short period of time, but the bottom line is we continue to work to make sure that the impact is minimal.
A report released by McAfee in January showed that the U.S. is widely perceived as one of the three countries most vulnerable to cyberattack, along with China and Russia. Do you think that’s an accurate perception?
Any countries that depend on technology also have a commensurate vulnerability.
How has your perspective on our vulnerabilities changed in light of news stories like those about Stuxnet [the targeted computer virus that damaged part of the Iranian nuclear program]?
The vast majority of what we consider to be critical infrastructure is owned and operated by the private sector. We’re working with them to [determine] where we can get these things fixed now, where we need to redirect or remediate, and what are the resources the government can bring to bear, such as law enforcement, to send a clear message: “Don’t do this, because you will be found out.”
People are saying that we’re facing a new breed of cyberattack that’s much more advanced and targeted than in the past. Is that a false perception?
I don’t think that’s a false perception. I recognize—and many of my colleagues in the private sector and in government recognize—that there’s a real threat out there. But the threat sort of follows the way we build our defenses against it, and I think those things continue to move in parallel.