From: Reuters

Uncontrolled security threats on the Internet could return much of the planet to  an era without electricity or automated transportation, top U.S. and Russian  experts said on Thursday.

Former National Security Agency Director Michael Hayden warned that the  United States had yet to resolve basic questions about how to police the  Internet, let alone how to defend critical infrastructure such as electric  generation plants.

And if recently discovered and government-sponsored intrusion software  proliferates in the same way that viruses have in the past, “somewhere in 2020,  maybe 2040, we’ll get back to a romantic time – no power, no cars, no trains,”  said Eugene Kaspersky, chief executive officer of Moscow-based Kaspersky Lab,  the largest privately held security vendor.

The back-to-back presentations at a Washington conference painted the  starkest picture to date about the severity of the cybersecurity problem.

The past two years have seen an escalation of such warnings, especially about  what U.S. officials have termed an unprecedented theft of trade secrets and,  more lately, mounting threats to infrastructure.

At the same time, Congress failed last month to pass legislation aimed at  protecting vital facilities, which Hayden bemoaned, and Kaspersky earlier this  year detected extremely sophisticated surveillance programs that infiltrated  personal computers and energy facilities in the Middle East.

If previous viruses were like bicycles, Kaspersky said, then the Stuxnet worm  that damaged uranium enrichment centrifuges at the Natanz plant in Iran two  years ago would be a plane, and the latest programs, dubbed Flame and Gauss,  would be “space shuttles.”

Researchers are still dissecting those heavily encrypted viruses. Kaspersky  and others say they are related to Stuxnet, which officials have privately  admitted was designed by U.S. and Israel intelligence forces.

But Kaspersky said Stuxnet, Flame and Gauss would become templates.

Although Stuxnet infected thousands of machines in friendly nations, it was  written by cautious “professionals” who minimized collateral damage, Kaspersky  said at the Billington Cybersecurity Summit at the National Press Club. The  knock-off versions by others will be much less discriminating, he added.

To show how quickly computer attacks can proliferate, Kaspersky said an  electronic assault that disabled thousands of computers at Saudi Arabia’s Aramco  in mid-August had followed a separate infection reported by an Iranian oil  company a few months ago.

Mounting a defense against nation-sponsored attacks will be extraordinarily  difficult, Kaspersky said, as it requires new operating systems designed to  manage equipment at crucial facilities. He said stopping criminals and  terrorists who will adopt the same techniques would take strong international  cooperation and deeper monitoring of the Internet, which many oppose on privacy  grounds.

“We need to upgrade our understanding that the world is different,” Kaspersky  said. “We need to pay more attention to the critical information technology  security issues.”

Yet Kaspersky and Hayden said international treaties or even nonbinding  agreements were nowhere in sight.

What is more, Hayden said, both the divided U.S. Congress and even different  agencies within the executive branch have failed to reach a consensus on  fundamental concepts, in part because the issues are still so new.

A Senate bill backed by President Barack Obama would have set voluntary  cybersecurity standards for critical plants and allowed for greater  information-sharing between intelligence agencies and private companies. But the  bill encountered opposition from both the U.S. Chamber of Commerce, which  objected to additional regulation, and the American Civil Liberties Union, which  was worried about privacy issues.

The White House is now developing an executive order that would not go so  far, but it still wants more powerful laws.

Even inside the administration, Hayden said, the Defense Department has  defined cyberspace as a warfare domain that it must “dominate,” while the  Department of Homeland Security has publicly disagreed.

A core problem is that the same communications networks are used both for  military operations and civilian transactions, which are protected from  unreasonable searches.

While most Americans would welcome a local police officer shining a light at  a shrub in their yard after seeing something suspicious, almost no one would  feel the same way about questionable Internet activity.

The National Security Agency has the most advanced capabilities for  cyberattacks and defense in the world, Hayden said.

“It is awesome,” he said. “But nobody there has the authorization to defend  you,” because the NSA is generally barred from domestic eavesdropping.

As governments and companies recognize that they have all been hacked and  focus more on limiting the damage from breaches, Hayden called for more  extensive debate from civilians on how the United States should treat the  Internet.

“You and I have not yet given our government guidance about what we want it  to do,” he said.