Jon Kyl, September 12, 2003

Within three minutes on August 14, 21 power plants in the United States suddenly shut down. Fifty million people - from New York to Canada to Michigan -- lost all electric power. It happened in an instant, but the aftereffects lasted for days. More than 400 flights were canceled; major airports shut down; passengers were trapped on subways and in elevators; gas stations closed; and water was in danger of contamination. The familiar lights of New York’s Times Square were extinguished, at least for one night. Some speculated that the cause of the outage was terrorism, but that was quickly ruled out. Still, the specter of how quickly an effective cyberterror attack could cut power across a large stretch of our nation was suddenly a very real and frightening possibility.

The August blackout was far from the first time that our nation’s critical infrastructure (electricity grids, banking, water, and transportation systems, and phone lines) was found to be vulnerable to a cyber attack. In March, computer hackers took advantage of a security flaw in Microsoft's Windows 2000 Server to break into a number of U.S. Army computers. In just the past week, the FBI apprehended a high-school senior who law-enforcement officials suspected was behind a modified Internet virus that crippled computer systems worldwide. The Internet worm reportedly affected 7,000 computers.

Other recent worm and virus attacks forced the Maryland Department of Motor Vehicles to shut down, caused delays in Air Canada's flights and knocked signals offline for the CSX train network in 23 states.

Experts differ on the ease with which a terrorist group could launch a massive cyberattack, though no one doubts our vulnerability. Cyberattacks lack the drama and visible terror inflicted by more conventional attacks, so they may not be as attractive to terrorists seeking to instill panic and fear in a population and demonstrate the extent of the damage they’ve wrought.

The bigger fear is that terrorists might launch a cyberattack in conjunction with a more visible 9/11-style attack, in order to disable phone communications and emergency services. And there is evidence that al-Qaeda operatives are increasing their computer knowledge and probing U.S. web sites, particularly those connected to water or power sources. The Council on Foreign Relations reports that cyberattacks have increasingly become a component of warfare; computer networks have been attacked during recent conflicts in Kosovo, Kashmir, and the Middle East.

For several years, the federal government has worked to address our vulnerability to cyberterrorism. The Department of Homeland Security, for example, has conducted cyberattack simulations to improve response strategies in the event of a real attack. A 1997 Defense Department simulation found that attacks could cause wide disruptions in military communications and 9-1-1 networks in several cities, using widely-available software on conventional computers.

Congress has tripled funding for cybersecurity research (to nearly $1 billion over five years). We’ve passed legislation to award grants for research into new ways to combat cyberterror threats. The new House Committee on Homeland Security has created a cybersecurity subcommittee to focus on this issue (I chair the closest counterpart subcommittee in the U.S. Senate).

The U.S. Department of Homeland Security has consolidated all of the federal government's computer security efforts. It has worked with private companies to improve their cybersecurity, and created a new division with the agency: the National Cyber Security Division (NCSD). The NCSD’s mission is to identify, analyze and reduce cyber threats and vulnerabilities; disseminate threat warning information; coordinate incident response; and provide technical assistance in continuity of operations and recovery planning.

One major problem that the government has encountered in improving cybersecurity is that the vast majority of the nation’s critical infrastructure is privately owned. Many businesses have previously been reluctant to share information on their own cyber vulnerabilities, fearing that such confidential information could be obtained by the public or its competitors under the Freedom of Information Act (FOIA). Efforts to get an exemption from FOIA for this sort of information sharing - including legislation I co-sponsored in the Senate before the 9/11 attacks - met fierce resistance from so-called government watchdog groups.

While the growing recognition of the longstanding danger of cyberterrorism is certainly welcome, our government has a long way to go before eliminating the cyberterror threat. But we are taking steps in the right direction, steps that hopefully will prevent a massive disruption to the functioning of our nation’s most critical systems.

John Kyl is a Republican senator from Arizona.