Private sector not adequately defending US cyberspace, security expert warns

For more than a decade, the United States has relied mainly on voluntary action by private companies to protect the nation's critical cyber infrastructure, but "it's not working," a cybersecurity expert told lawmakers.

Companies own 85 percent of the critical infrastructure, and they have been unwilling to invest what is needed to protect against cyberattacks, James Lewis, a senior fellow at the Center for Strategic & International Studies, told the Homeland Security cybersecurity subcommittee. That leaves key parts of the infrastructure, such as the electrical grid and financial institutions, vulnerable to crippling attacks, he said. Lewis heads the technology and public policy program at the Center for Strategic and International Studies. "No sector has a greater incentive than banks to protect their networks," he said. "They are a constant target. Some banks, particularly top-tier banks, have sophisticated defenses. Despite this, they are hacked. "If banks cannot protect themselves, why do we think other sectors will be able to do so?" Lewis asked.