Privately-owned U.S. computer networks remain vulnerable to cyber attacks, and many U.S. companies are not doing enough to protect them, Deputy U.S. Defense Secretary Ashton Carter said on Wednesday.
“I hope this isn’t one of those situations where we won’t do what we need to do until we get slammed,” Carter told the annual Air Force Association conference.
Attacks on American computer infrastructure by other countries and criminal gangs have soared in recent years, according to U.S. government officials. Efforts to pass legislation to strengthen U.S. cyber security have met obstacles such as privacy issues.
Carter said the Pentagon was doing all it could to protect its own networks and develop offensive cyber weapons, but shoring up the nation’s overall cyber infrastructure — much of which is privately held — was far more challenging.
“When it comes to the nation’s networks there are many other forces and considerations that make it very complicated, and therefore very slow, and I’m concerned that it’s moving too slowly,” he told Reuters after his remarks at the conference.
“We’re still vulnerable and the pace is not adequate,” Carter told the conference, noting that many private companies either did not invest or invested too little in cyber security.
Congress’ failure to pass cyber security legislation this summer was very disappointing, Carter told Reuters after the speech, noting that the proposed measure would have helped increase U.S. cybersecurity “tremendously.”
As a result, the Obama administration was trying to move ahead on its own, within existing legislative constraints, he said.
“We’re trying to do without legislation some of the things -obviously we can’t do everything — that we need to do,” he said.
White House homeland security adviser John Brennan last month said the White House was exploring whether to issue an executive order to protect the nation’s critical computer infrastructure, but gave no details on the timing or possible content of such an order.
Carter told hundreds of industry executives and military officials at the conference that protecting the country’s privately-controlled computer networks raised myriad antitrust and privacy questions that needed to be addressed more quickly.
Some of those questions center on the amount and type of data that can be shared among private companies and with the government, and to what extent the government can get involved in protecting private networks.
The Pentagon is facing mounting budget pressures, especially if Congress fails to avert an additional $500 billion in across-the-board defense cuts due to start taking effect in January.
Carter said the budget reductions would have a devastating effect on a number of Pentagon programs, but continued investment in offensive and defense cyber operations would continue, along with unmanned systems, space capabilities and electronic warfare.
Debora Plunkett, of the secretive National Security Agency, whose responsibilities include protecting U.S. government computer networks, predicted earlier this month that Congress would pass long-stalled cybersecurity legislation within the next year.
She said other nations were increasingly employing cyber attacks without “any sense of restraint,” citing “reckless” behaviors that neither the United States nor the Soviet Union would have dared at the height of Cold War tensions.
In July, General Keith Alexander, head of the NSA, said during an interview at the Aspen Security Forum in Colorado, that the number of computer attacks from hackers, criminal gangs and foreign nations on American infrastructure had increased 17-fold from 2009 to 2011.