Lieberman and Collins: Don’t Wait Until After a Cyber 9/11 to Act
The Internet was born in October 1969, and for the first half of its life was just a tiny hamlet of academic and government computers networked in a way that made it easy for researchers to share their work — a digital Mayberry where people left their doors unlocked because there were few strangers to fear.
But this small-town architecture that remains the core of the Internet’s foundation is cracking under the demands placed on it as it has grown into a global megalopolis that touches almost every part of our daily lives. We use it for entertainment, communications, banking, commerce and to control the systems that open and close the valves and switches in our critical infrastructure — things like power plants, energy pipelines and our financial, transportation, and water systems.
Today, the Internet is under attack on all fronts. National Security Agency Director Gen. Keith Alexander blamed cyber-attacks for the “greatest transfer of wealth in history” estimating that U.S. companies lose about $250 billion a year through intellectual property theft, $114 billion to theft through cyber-crime and another $224 billion in downtime the thefts caused. As Alexander said, “This is our future disappearing before us.”
If this kind of economic loss isn’t enough to motivate us to pass strong cybersecurity legislation, to better defend the systems we all depend on, consider this: A recent story in the Washington Post detailed how a young man living an ocean away was able to use his computer to hack into the control panel of a small-town water utility in Texas. It took him just 10 minutes and required no special tools or training. And the utility had no idea of what had happened until the hacker posted screenshots of his exploit online as a warning of how vulnerable we all are.
The bipartisan Cybersecurity Act — which we have introduced with our Senate colleagues Jay Rockefeller (D-W.Va.), Dianne Feinstein (D-Calif.) and Tom Carper (D-Del.) — seeks to strengthen our computer networks’ security with a combination of information sharing and the establishment of a voluntary cybersecurity program for our most critical infrastructure that could cause deaths and economic and environmental disasters if they were commandeered or sabotaged through a cyber-attack by a rival nation, cyber-terrorist or rogue hacker.
Information sharing will allow private-sector network owners to share threat information among themselves and the federal government, and, in turn, the federal government will be able to share threat information it discovers with the private sector and together defend our country.
Our bill includes strong privacy protections to guarantee the identity of individuals engaged in routine Internet activity cannot be singled out as part of the information-sharing process and establishes a privacy officer to enforce these provisions.
When it comes to our most critical infrastructure, information sharing is not enough.
Under our bill, industry will develop a set of cybersecurity practices that will then be reviewed by a new National Cybersecurity Council. The NCC, which will be chaired by the secretary of Homeland Security and made up of representatives from the Defense, Commerce and Justice departments and various other agencies, will review these practices to ensure they provide an adequate level of security. Owners of critical infrastructure will then have the option of joining a voluntary program in which, if they implement the cybersecurity practices, they would be entitled to certain benefits.
Let’s use that Texas water utility that was hacked as an example of why information sharing is not enough and security practices need to be agreed to. The owners had no idea their system was connected to the Internet, so information sharing wouldn’t have helped because they had no idea they were at risk in the first place.
And this need not be expensive. A recent report by Verizon, the Secret Service and other international law enforcement agencies analyzed 855 data breaches in 2011 and found that 96 percent were not difficult to pull off and 97 percent could have been prevented through fairly simple and inexpensive means.
Using the Texas example again, the hacker was able get onto the control board because the utility had never changed the three-digit password installed by the factory — and that was easy to find in technical manuals available on the Internet.
Six of our nation’s most experienced Republican and Democratic national security leaders have endorsed our approach and urged the Senate to act “as soon as possible.”
In a letter to the Senate Majority and Minority Leaders, former Homeland Security Department Secretary Michael Chertoff, former National Intelligence Director Adm. Michael McConnell, former Deputy Defense Secretary Paul Wolfowitz, former National Security Agency and CIA Director Michael Hayden, former Joint Chiefs of Staff Vice Chairman Marine Gen. James Cartwright and former Deputy Defense Secretary William J. Lynn wrote:
“Infrastructure that controls our electricity, water and sewer, nuclear plants, communications backbone, energy pipelines and financial networks must be required to meet appropriate cybersecurity standards. … We carry the burden of knowing that 9/11 might have been averted with the intelligence that existed at the time. We do not want to be in the same position again when ‘cyber 9/11’ hits — it is not a question of whether this will happen; it is a question of when.”
Many more of our nation’s top security officials, including Defense Secretary Leon Panetta and Joint Chiefs of Staff Chairman Gen. Martin Dempsey, have issued similar warnings.
The threat board is blinking red. Congress needs to act now before a cyber 9/11.
Sen. Joe Lieberman (I-Conn.) is chairman of the Homeland Security and Governmental Affairs Committee. Sen. Susan Collins (R-Maine) is the panel’s ranking member.