Observers say the military — or ".mil" — sector is reasonably well-protected and armed with significant offensive capability. But the Department of Homeland Security, tasked with defending the nonmilitary ".gov" domain, has proven woefully inadequate.
In June, the department's inspector general reported that DHS's cyber-security wing is chronically understaffed, roiled by constant turnover, and moving far too slowly to keep up with hackers.
Langevin, the Rhode Island congressman, adds that Homeland Security suffers from a prestige problem. "That is a new agency that is still struggling to stand itself up," he says. "It doesn't have the long institutional history and respect behind it that other departments have."
But even if the administration is able to shore up its defense of the .gov sector — and analysts say the White House is making some progress there — a more fundamental problem remains.
Much of the infrastructure that our military, government, and businesses depend upon — the power grid, telecommunications, and the like — is privately controlled. And industry, focused on profit above all else, has little incentive to make substantial investments in hardening that infrastructure against a low-probability threat.
"They believe if there's a true catastrophe, that the government will step in" and clean up after their mess, says Herbert Lin, a scientist with the National Research Council and author of a major report on offensive cyber warfare. "And they're probably right."
Of course Congress could, in theory, press industry to do more: requiring the utilities to buttress their defenses or imposing liability on Microsoft for the buggy software that makes so many computers vulnerable to attack.
But here, we run up against the limits imposed by our politics. Business is powerful. And heavy regulation of the marketplace, whatever the sins of Enron and Bear Stearns, remains anathema.
Even the Obama administration, which gets substantially higher marks on cyber security than the Bush or Clinton White Houses, has struggled to reconcile the imperatives of security and economic growth.
Last summer, interim cyber-security czar Melissa Hathaway, widely believed to have the inside track on the permanent job, resigned her post after reportedly clashing with Larry Summers and other economic advisers who wanted to have substantial influence on her work.
The eventual appointee — former Microsoft security chief Howard Schmidt — won greater independence from the administration's economic apparatus than contemplated during Hathaway's time. But the larger tension remains.
Even as the administration sounds the alarm on cyber security, notes Harvard University law professor Jack Goldsmith, it pushes for expanded bandwidth, computerized health records, and networked smart grids — all of which open new avenues for attack.
But the press for economic growth is not the only check on a major security upgrade. Bedrock beliefs in privacy and freedom of speech also stand in the way of figures like Mike McConnell, who served as director of national intelligence under President George W. Bush and argues that we need to "re-engineer the Internet" to allow for an easier tracing of online activity.
Indeed, convincing a public only dimly aware of the cyber threat to trade economic growth and privacy for enhanced online security will probably take more than the pleadings of a few former White House hands.