The testimony of CIA director John Deutch before the Senate Governmental Affairs Committee's Subcommittee on Permanent Investigations reminds us again that the new enemy is not likely to be any of the usual suspects. Instead, we will fight cyber-terrorists who attack the nation's information systems.
Deutch proposed an organizational solution that is certain to spark plenty of discussion. Prompting the appropriate agencies to collect and then share data has always been difficult, but the Hill can certainly apply funding pressure to guarantee compliance once an agreement is reached about what is needed.
Reaching that agreement will be the tougher assignment. It is clear that no one knows the extent of the problem. Talk to any computer incident response manager, and he will tell you he's afraid of the hackers who can't be detected right now. The diverging positions of DISA and DIA on Java security reflect more than their different roles. It also points to the shortage of real information about security threats.
The CIA, as an intelligence-gathering agency, is in a position to take the lead and make some estimates, but many in government are not comfortable with the agency in that role. However, some organization needs to gather information about hackers and threats, "sanitize," declassify and then share that information. The sooner we settle on who is going to provide this service, the faster agencies will be able to prepare their defenses.