Earlier this month, Leon Panetta, the Secretary of Defense of the United States, stood aboard the vessel that is the Intrepid Sea, Air, and Space Museum in New York City, and warned the audience of what he feared might become the next "cyber Pearl Harbor." Panetta's cyberdoomsday scenario hinted at a possible contamination of water supplies or shutdowns of U.S. power grids with clandestine hackers around the world having the ability to wreak havoc on our everyday lives.
"The most destructive scenarios involve cyber actors launching several attacks on our critical infrastructure at one time, in combination with a physical attack on our country," he said. "Attackers could also seek to disable or degrade critical military systems and communication networks."
Sure, plenty of critics did a collective eye-roll at Panetta's speech. But new statistics illuminate a sobering recent escalation of cyberattacks.
According to a recent McAfee poll of 200 IT executives, 80 percent have faced a large-scale denial of service attack (known often as DDoS) in the past year. Examples abound: On August 15, for instance, Saudi Arabia's state-owned oil company, Aramco, came under cyberattack. A hacker unleashed a virus that eviscerated data on about three-quarters of Aramco's corporate PCs, according to The New York Times. And earlier this week, the threat landed closer to home; Barnes and Noble announced its PIN pads had been hacked in store locations in nine states.
Kevin G. Coleman, a strategic cyberwarfare advisor and the author of The Cyber Commander's eHandbook: The Weaponry & Strategies of Digital Conflict, believes the United States could be on the bring of all-out cyberwarfare. "I think we're extremely vulnerable," he says.
The United States has essentially doubled-down on its cyberdefense spending--and much that funding is fueling the next generation of cybersecurity start-ups.
So in an effort to protect both public and private infrastructures from cyberattacks, the United States has essentially doubled-down on its cyberdefense spending--and much that funding is fueling the next generation of cybersecurity start-ups. In April, The Washington Post reported that, through the U.S. Cyber Command, the Pentagon was issuing a new type of "rapid plan," in which weapons could be "financed through the use of operational funds, in 'days to months,' and some steps that ordinarily would be required would be eliminated."
Unfortunately, much of that information is classified, says Coleman. After all, government-funded cyberweaponry is a notoriously secretive operation within the Department of Defense.
"There are a lot of labs that don't publish what they're working on and it's kind of like 'black funding,'" says Coleman.
In 2010, policy makers drafted legislation that would become the Homeland Security Cyber and Physical Infrastructure Protection Act. With the new legislation came an increase in federal spending, too. According to Deltek, a national research firm that focuses on federal contracting, government spending on cybersecurity could increase 40% to $14 billion by 2016.
But perhaps the government's boldest initiative was its creation of the U.S. Cyber Command, a branch of the Army based out of Fort Meade, Maryland. Part of the U.S. Cyber Command's mission is to expand the capabilities of the Department of Defense by contracting with civilian enterprises that focus on cybersecurity. In turn, the area around Fort Meade has become an unlikely hub for innovative cybersecurity start-ups, many of them clustering around incubator programs designed to act as feeders into government contracts.
The area around Fort Meade has become an unlikely hub for innovative cybersecurity start-ups, many of them clustering around incubator programs designed to act as feeders into government contracts.
In 2011, the University of Maryland, Baltimore County opened its Advantage Incubator, Maryland's first incubator dedicated to cybersecurity technologies and companies. Its inaugural class had 16 companies.
Some of those start-ups include KoolSpan, a mobile-security-encryption start-up, and Rogue Networks, a start-up that develops software for cybersecurity problems. To streamline these company's work, the incubator program at UMBC is also sponsored by Northrop Grumman, the giant U.S. defense contractor. That sponsorship, titled the Cync program, has already paid off: earlier this year, Rogue Networks earned Defense Advanced Research Projects Agency Fast Track award.
The start-ups are building a variety of tools that will help the government be better equipped to handle cyberattacks. Peter Coddington, the founder of PaRaBaL, a 14-person start-up based in the UMBC incubator facility, has built a plaform that provides mobile device security training to members of the government.
"We got our start with the government," he says. "The government is leading the charge; corporate America is way behind."
Another start-up in the incubator, Oculis Labs, has built software that jumbles whatever is on a user's screen when someone is looking over his or her shoulder. Bill Anderson, the company's founder and CEO, says the military uses the software for a variety of applications.
"You could have a special operator out in the hills of Afghanistan, and he's allowed to look at that," Anderson says. "The trouble is, the local liason and the translator, they don't have a right to see that information. The problem we have to solve is how do we deliver important stuff to the guy in the field when he's in a non-ideal situaton where someone else could get a look."
Anderson also says that being in Maryland helped Oculis Labs scale in the early phase of the company's growth cycle.
"Being here next to the NSA and not far from the DOD and intel space has been crucial to us because we've been able to have conversations and draw on expertise about government," he says. But with government comes bureaucracy.
"It's a different conversation, and it's a different pace," he says.
Anderson's frustration with the pace of the federal procurement process is echoed by several industry experts, as well as by the Pentagon itself.
"The U.S. government does not take sufficient advantage of innovative technology except, possibly, within 'black' budgets," wrote Daniel Greer, Jr., in Center for a New American Security, in June 2011. "The U.S. government is missing a river of innovative technology, and it is both broad and deep. No one technology missed is a crisis, but in the aggregate, the U.S. goverment is falling behind in what it could do and what it is expected to do to protect the nation from cybersecurity threats."