From: Council on Foreign Relations
Author: Jonathan Masters, Associate Staff Writer
In January 2012, FBI Director Robert Mueller (ABC) testified that the cyber threat to the United States is expected to eclipse the threat of terrorism in the coming years. Though the country has avoided a cyber “Pearl Harbor” to date, a steady stream of significant cyber attacks, particularly by foreign sources conducting major acts of espionage, indicate the nation’s ongoing vulnerability, say some analysts. Safeguarding digital networks has been a priority of Washington for several years, but thus far the federal government has not mandated minimum levels of cybersecurity for private operators of critical information systems. Bipartisan legislation introduced in the U.S. Senate this month proposes new standards for the protection of critical infrastructure and enhancing sharing of threat information between government and private industry.
What’s at Stake
The bulk of U.S. critical infrastructure–the nation’s physical and virtual assets considered vital to national security–is privately owned and operated, and in many cases lacks the protections necessary to defend against a sophisticated cyber attack. The United States has avoided a catastrophic cyber attack on its power grid or its financial systems thus far, but, experts say, the Stuxnet worm (Wired) that sabotaged thousands of Iran’s nuclear centrifuges in 2010 has demonstrated the damage such malicious programs can cause.
Also, foreign hackers have proven highly adept at cyber espionage, pilfering valuable intellectual property from U.S. corporations involved in a variety of industries including national security (InfoWeek). In January 2012, several former top-ranking U.S. defense and intelligence officials wrote in the Wall Street Journal: “The Chinese government has a national policy of economic espionage in cyberspace.”
Supporters of the Senate legislation emphasize a need to remedy the market’s failure to provide adequate cybersecurity for these critical sectors. In her Congressional testimony, Homeland Security Secretary Janet Napolitano said the most important element of the statute “is the ability to bring all of the nation’s critical infrastructure up to a certain base standard of security” (NextGov).
Others suggest the legislation does not go far enough (AP), claiming firms could delay necessary security improvements for a number of years or poke holes in certain aspects of the bill’s language. Several ranking Republicans, who plan to offer competing legislation that emphasizes an incentive-based model, said the proposed regulations would overburden U.S. businesses. On behalf of the U.S. Chamber of Commerce (National Journal), former DHS chief Tom Ridge said the proposed regulations would be “counterproductive” and cause “a shift in businesses’ focus from security to compliance.”
Jerry Cochran, chief cybersecurity architect at Microsoft, says without government incentives or regulations, “corporations will continue to make risk-management decisions based on their individual self-interest.” A firm’s cybersecurity decisions, he explains, does not necessarily account for larger U.S. national security concerns.
In the U.S. House of Representatives, two smaller, Republican-sponsored bills embrace public-private cybersecurity partnerships and the need for an increased sharing of cyber threat information, but would not require specific standards for critical infrastructure. In The Hill, Rep. Dan Lungren (R-CA), a sponsor of one of the House bills, writes, “Government is as much to blame by over-classifying cybersecurity threat information as the private sector is for refraining from reporting cyber incidents for fear of damage to their reputation and/or price per share.” The Congressional Research Service argues that “successful information sharing will depend on the ability of each side to demonstrate it can hold in confidence the information exchanged.”
This report from The Constitution Project, a civil rights advocacy group, says any new cybersecurity programs should have the necessary protections against government’s unrestricted access to an individual’s private information.
This report from the nonpartisan Congressional Research Service provides background and analysis on efforts by the federal government to identify and protect U.S. critical infrastructure.