China has accounted for the largest percentage of attacks since the last quarter of 2011, according to the latest State of the Internet report from Akamai, which provides one of the largest global networks for Internet content delivery. In the third quarter of last year, China accounted for 33% of cyber attacks, more than double the previous quarter.
By comparison, the combined percentage of the second and third countries, the United States and Russia, respectively, was less than 18%, Akamai reported.
“China’s growth from the second quarter was fairly significant, and somewhat surprising,” the report said.
Akamai is only the latest study to bolster arguments that the U.S. needs to bring private and public organisations together to protect telecommunication systems, government and corporate networks, and power plants, water filtration systems and other critical infrastructure. Adding to the urgency is the rising number and sophistication of cyber attacks.
An example of advanced threats includes dedicated denial of service (DDoS) attacks over the last several months that has sent an unprecedented amount of bogus traffic against the websites of major U.S. banks.
Over the last three years, security experts have identified three highly effective complex viruses — Duqu, Flame and Stuxnet — that have struck government systems around the world.
The growing risk is behind efforts in the U.S. Senate to try again at passing a comprehensive cyber security bill. A committee in the upper house is in the process of writing the Cyber security and American Cyber Competitiveness Act of 2013, which will eventually go to the full Senate.
Sens. John D. Rockefeller IV, chairman of the Commerce, Science, and Transportation Committee; Tom Carper, incoming chairman of the Homeland Security and Governmental Affairs Committee; and Dianne Feinstein, chairman of the Select Committee on Intelligence, introduced the proposal this week.
Experts agree on the need for legislation that would establish processes for public and private organisations to share information that would help build better defences against attacks.
“Given the continuing attacks that we are seeing against a variety of industries, some sort of legislation is an inevitable necessity, as these businesses will all have to be on the same page to stem the tide,” said Al Pascual, analyst for Javelin Strategy & Research. “The cyberthreats facing our nation are real, and we need to start getting real about a solution.”
To protect the nation, security can no longer be an option for private industry in charge of critical infrastructure.
“For a law to be successful it has to address data sharing between organisations and include provisions that address/force organisations to have security,” said Murray Jennex, an associate professor at San Diego State University and an expert in critical infrastructure security.
While security should be mandatory, the government cannot expect private industry to share information without protection from lawsuits related to customer privacy, Jennex said. There is also the issue of protecting data that a competitor could use.
“What I would like to see is a presidential order that allows companies and industries to work together, share attack information and risk information, and come to a consensus on what to do; all without the fear of being sued by customers,” Jennex said.
Also, to avoid laws that become outdated quickly, Congress should focus on establishing data-sharing processes and security requirements, without dictating which technology is used, he said.
Congress failed last year to pass the Cyber Security Act of 2012. Opponents that managed to derail the bill included business groups that argued it contained unnecessary and onerous regulations and privacy advocates who said it did not go far enough to protect personal communications.
The latest proposal has drawn support from Janet Napolitano, secretary of the Department of Homeland Security. In urging Congress to pass legislation, Napolitano told the Wilson Center think tank in Washington that lawmakers should not wait for a “9/11 in the cyber world.”
“There are things we can and should be doing right now that, if not prevent, would mitigate the extent of damage,” a Reuters report quotes Napolitano as saying.