When special interests mischaracterize minimal standards as onerous regulations, they ignore the limited number of industries affected and the devastating consequences of a successful attack on one of these select companies. Opposition groups are so fixated on their anti-regulation dogma that they ignore the effects on millions of people.
The public benefits of minimum standards for cybersecurity far exceed the costs to critical infrastructure owners and operators. Such standards should be established with significant industry input and with maximal flexibility to take into account the ever-changing world of cyberspace.
But it is abundantly clear that the status quo is not acceptable. In recent remarks about the likelihood of a successful major attack on our critical networks, Gen. Keith Alexander, head of U.S. Cyber Command and the National Security Agency, was blunt, saying: “I do think that’s coming our way. You can see this statistically; the number of attacks is growing.”
Unlike in the case of disruptions such as DNSChanger — caused by a few profit-seeking criminals in Estonia — we can’t wait to act until after an attack by a terrorist group or an enemy state hits our critical infrastructure.
Besides risking serious physical and economic damage, or even the loss of American lives, delaying reforms until after a major incident will likely mean an overreaction to cyber-threats after we are hit. If we make improvements now, we can take a limited-government approach to cybersecurity that preserves the openness of the Internet and raises awareness about noncatastrophic threats, while compelling our most vulnerable and valuable industries to guard against a truly destructive attack.
Rep. James Langevin (D-R.I.) is co-founder of the Congressional Cybersecurity Caucus and ranking member on the Armed Services Subcommittee on Emerging Threats and Capabilities.