While government leaders often use attention-grabbing buzzwords like cyberwarfare, such expressions do not have much impact on security budgets within private industries, experts say.
The possibility of cyberwarfare has been in the spotlight for more than a year, when then-Defense Secretary Leon Panetta said in a policy speech that the nation faced the threat of "another Pearl Harbor."
In following Panetta's lead, other government leaders have also given speeches to draw the nation's attention toward the risk of having a wide-scale cyberattack take down a large segment of the nation's critical infrastructure, such as power plants or financial institutions.
In a recent poll conducted by DefenseNews, U.S. leaders in national security policy, the military, congressional staffs and the defense industry rated cyberwarfare as the most serious threat facing the U.S.
Republicans, Democrats and independents in the poll of more than 350 national security leaders held that view, while differing on the second most serious threat. Respondents who identified themselves as Republicans listed terrorism and Democrats chose climate change.
As the clear bipartisan winner, cyberwarfare has become a major concern among security leaders. However, that has not led to more spending on cybersecurity within the private sector, including industries that encompass the nation's critical infrastructure, experts specializing in industrial control systems, say.
"Yes, I've seen some industrial companies go above and beyond the normal practices," Jim Gilsinn, senior investigator for Kenexis Consulting, said. "Those are the examples of how things should get done if all things can be done right.
"In most cases, the companies I've dealt with have limited budgets and/or resources, so they are just trying to handle the minimum and maybe a little more to get themselves some level of protection."
The private sector is not going to increase spending because of a sound bite from a government official's speech, Kevin Coleman, strategic management consultant for SilverRhino, which specializes in government IT security, said. Companies need facts before agreeing to increase expenses that reduce profits.
"They're only going to spend what they absolutely have to and not a dime more," Coleman said.
Companies spend on what's considered "usual and customary" within their particular industry, Coleman said. During congressional hearings on cybersecurity, industry leaders will often tell lawmakers they are willing to do more if the government gives them the money to do it.
Most of the companies Gilsinn has worked with have never suffered a major cybersecurity problem, so they are cautious not to overspend.
"We work with them to implement a lot of very basic cybersecurity countermeasures in their industrial environments," Gilsinn said. "They aren't trying to defend against the threat of cyberwarfare or APT (advanced persistent threats).
Sign up for Computerworld eNewsletters.