With the Obama administration reportedly circulating a draft of an executive order on cyber-security, former U.S. Secretary Robert Gates said in a keynote that nation-states are far from the only players on the cyber-battlefield.
In a keynote today at the ISC2 Security Congress in Philadelphia, Gates - who served as defense secretary from 2006 and 2011 and is also a former director of the CIA - said the threat of cyber-war waged by nation-states in some ways is less problematic than the prospect of attacks from non-state actors. His comments echoed a similar sentiment shared by FBI Director Robert Mueller III at the RSA Conference earlier this year in San Francisco, when he warned that while terrorists had not been linked to a full-scale cyber-attack, such groups are using the web for recruitment and to help operations.
"Presently the highest levels of cyber capability reside in nation-states," Gates said. "But because U.S. military power provides a strong deterrent, most nation-states have no more interest in conducting an easily traceable and highly destructive cyber attack than they do a conventional military attack. The risk for them is too great. Terrorists however have no such hesitation."
"With few assets to strike back at, they are hard to deter," he continued. "If a terrorist group gains disruptive and destructive capability, we have to assume they will strike with little hesitation. So in cyber we have a small window of opportunity to act before the most malicious actors acquire the most destructive technologies."
Adding to the threat landscape is the fact that getting involved in cyber-attacks does not require the resources and industrial infrastructure needed to mass produce military technology such as stealth fighters, he said.
"In contrast, cyber capabilities have low barriers to entry," Gates said. "A small number of highly trained programmers using off-the-shelf equipment can develop toxic tools and deploy them with great effect."
Gates' comments come as reports surface that the Obama administration has drafted an executive order in light of the failure of Congress to pass a cyber-security bill. According to the Associated Press, among the order's provisions are voluntary standards for companies and new regulations for systems considered particularly critical. In August, the Cybersecurity Act of 2012 failed to receive enough votes in the Senate to go to a final vote.
Speaking general of national security threats, Gates said it is important as the government "careens towards the so-called fiscal cliff later this year" that it does not repeat the mistakes of the 1990s and begin cutting resources dedicated to national security simply because threats seem to have subsided, he said. The cuts during the 90s, he argued, played a role in the intelligence failures that preceded the terrorist attacks on Sept. 11, 2001.
"This is not meant to excuse the real failures of leadership and execution that took place, but to realize that these failures must be understood in the context of those [military and intelligence] agencies being denied adequate resources to do all the things that are expected of them," he said.