4 initiatives for a stronger cybersecurity bill
This week the U.S. Senate will likely pass legislation that accepts significant cybersecurity risk, an issue most Americans believe is “very important” for which our top cyber commander says we are grossly unprepared. Don’t expect real reform until after America is crippled by the coming cyber “Pearl Harbor” attack.
Senior government officials warn lawmakers about the risks of a catastrophic cyber attack. Defense Secretary Leon Panetta frequently warns there is a “high” risk of a cyber “Pearl Harbor” that could cripple our electric, financial and governmental systems. He believes the “technological capability” to send our country into a cyber-induced “Pearl Harbor” is already available.
U.S. Army General Keith Alexander, director of both the National Security Agency and the Pentagon’s Cyber Command, said when the destructive cyber attack comes, “you lose” and the most difficult part of the problem is not knowing “who is attacking your systems.”
Last week at the Aspen Institute in Colorado, Alexander assessed U.S. readiness to confront cyber attacks as “around a three” on a scale of 10, and he also said the number of cyber attacks increased 17-fold between 2009 and 2011.
Expect the cyber threat to get worse unless there is significant investment in mitigating capabilities and tough new laws. We are vulnerable because our way of life is increasingly dependent on computerized information systems that carry out critical infrastructure operations and process ever more essential information, in both the government and private sectors.
That growing vulnerability is due to ineffective information security controls and a growing array of cyber-based threats. Those threats include criminal groups, terrorists, foreign nations engaged in espionage and information warfare like China, and political activists. Their attack techniques vary and their ever-increasing sophistication presents a significant challenge.
Fortunately web-savvy Americans understand our cyber vulnerability and expect government action to mitigate that threat. A recent bi-annual Unisys Corporation national security survey found 74 percent of Americans expect protecting government systems from hackers as a “very important” issue for presidential candidates. Three-fourths (73 percent) also count defending our utilities and transportation systems from cyber attacks as “very important.”
Even though most Americans expect meaningful cyber solutions, the Senate is poised this week to pass legislation that is more form than substance. Senate Majority Leader Harry Reid admits his chamber’s Cybersecurity Act (CSA) of 2012 is “not strong enough” primarily because there is insufficient agreement on tough measures.
Sen. Joseph Lieberman (I-Conn.) and four other senators introduced the CSA, which President Barack Obama wrote in the Wall Street Journal he “strongly supports.” CSA’s strongest provision was the requirement for the Department of Homeland Security to set minimum cybersecurity standards for critical-infrastructure facilities such as power plants. That provision was dropped in the face of significant opposition from some Republicans.
“The key to successfully fighting this threat is not adding more bureaucrats or forcing industries to comply with government red tape,” Sen. John McCain (R-Ariz.) said last week after introducing an alternative cybersecurity bill with seven other Republican senators. “Instead, we must leverage the ingenuity and innovation of the private sector,” McCain told the New York Times.
Other differences among the senators stripped the remaining teeth out of the CSA as well. It no longer includes an Internet “kill switch” for the president and mandatory security upgrades for privately owned facilities. An early version of the CSA also allowed data collected through cyber programs to be used for criminal prosecutions, which is now gone except in very specific, limited circumstances such as a serious threat to minors.
Once passed, the weak Senate legislation will be conferenced with the Cyber Intelligence Sharing and Protection Act (CISPA) that passed in the House in April. CISPA excludes mandatory cybersecurity infrastructure standards but encourages businesses and intelligence agencies to share information about attacks and threats to computer systems.
But CISPA raises concerns about civil liberties that CSA avoids. It grants the “government unprecedented powers to monitor Americans’ online behaviors,” said Dave Aitel, CEO of Immunity Inc. in Miami Beach, Fla., formerly with the National Security Agency.
Expect President Obama to sign Congress’ cyber bill because this is an important election year issue as the polling demonstrates and as he wrote in the Wall Street Journal “… my administration has made cybersecurity a priority, including proposing legislation to strengthen our nation’s digital defenses.”
But the right thing is for Obama to veto the expected weak cybersecurity bill and insist Congress send him a tough law that includes the following four initiatives, that is, if the commander-in-chief truly believes as do most Americans, the cyber threat is as dire as Panetta and Alexander indicate.
First, government and private industry must share threat intelligence about the state of our networks and the capabilities and intentions of our cyber adversaries. This information will help critical infrastructure companies and vulnerable industries to be better prepared when inevitably attacked, and the sharing must be done on a timely, ongoing basis.
Second, government must establish mandatory cybersecurity standards for public utilities that are not overly cumbersome and costly. Americans deserve to know their public service providers reliably comply with industry-wide cybersecurity standards just like water treatment plants monitor contaminants for public safety.
Unfortunately our public electricity services are especially vulnerable. A July 2012 Government Accountability Office study states that “the electricity grid’s reliance on IT systems and networks exposes it to potential and known cybersecurity vulnerabilities.” That study found a general lack of cybersecurity among American electricity systems and networks. Congress could vaccinate our utilities from outside hackers by requiring them to create cyber networks no longer tethered to the Internet.
Third, reduce cyber threats by working with foreign partners to create global cyberspace standards, strengthen law enforcement against cybercrime, and grant our armed forces the authority to deter adversaries with effective counters.
Finally, Congress must protect fundamental freedoms. The tendency will be to allow more monitoring and use of private information, like the House bill. Somehow we must thread the cybersecurity-privacy needle by protecting privacy while keeping the Internet open. Further, private industry must not become part of the government’s “Big Brother” network violating user privacy while passing cybersecurity information to government entities.
Top leaders warn America faces a cyber “Pearl Harbor.” That is why Congress must quickly pass tough legislation that gives the country better than 30 percent readiness to confront potentially catastrophic cyber attacks while protecting civil liberties.