The public benefits of minimum standards for cybersecurity far exceed the costs to critical infrastructure owners and operators. Such standards should be established with significant industry input and with maximal flexibility to take into account the ever-changing world of cyberspace.
But it is abundantly clear that the status quo is not acceptable. In recent remarks about the likelihood of a successful major attack on our critical networks, Gen. Keith Alexander, head of U.S. Cyber Command and the National Security Agency, was blunt, saying: “I do think that’s coming our way. You can see this statistically; the number of attacks is growing.”
Unlike in the case of disruptions such as DNSChanger — caused by a few profit-seeking criminals in Estonia — we can’t wait to act until after an attack by a terrorist group or an enemy state hits our critical infrastructure.
Besides risking serious physical and economic damage, or even the loss of American lives, delaying reforms until after a major incident will likely mean an overreaction to cyber-threats after we are hit. If we make improvements now, we can take a limited-government approach to cybersecurity that preserves the openness of the Internet and raises awareness about noncatastrophic threats, while compelling our most vulnerable and valuable industries to guard against a truly destructive attack.
Rep. James Langevin (D-R.I.) is co-founder of the Congressional Cybersecurity Caucus and ranking member on the Armed Services Subcommittee on Emerging Threats and Capabilities.
Roll Call has launched a new feature, Hill Navigator, to advise congressional staffers and would-be staffers on how to manage workplace issues on Capitol Hill. Please send us your questions anything from office etiquette, to handling awkward moments, to what happens when the work life gets too personal. Submissions will be treated anonymously.