Langevin: A Little Regulation Now Avoids Disaster Later
Earlier this month, a computer virus threatened Internet access for thousands of Americans unless they took proactive steps to remove it. According to the FBI, which successfully stopped its spread, a group in Estonia used malicious Internet servers to infect millions of computers worldwide with a program called DNSChanger, which enabled them to manipulate online advertisements and cause additional problems for unsuspecting users while raking in $14 million in illegitimate income.
After the FBI’s sting, users who relied on those servers could no longer access the Internet without temporary assistance provided by the FBI, which worked with a private company to give computer owners a few extra months to check their systems.
The handling of this episode provides an excellent template for dealing with the vast majority of cybersecurity threats. Law enforcement did its job to stop the costly scam and provide notice to the public about its potential effects. In almost all cases, this is the most direct involvement one should expect from the government. As our society relies more and more on the Internet, we all have an individual responsibility to protect ourselves and prevent harmful programs from spreading by following basic security practices, such as installing anti-virus, anti-malware and firewall software, as well as applying software updates and patches as necessary.
In general, the government should have the lightest touch possible when it comes to the World Wide Web, respecting the innovation and freedom to communicate that result from Internet openness.
The government should instead focus on making as much security information as possible available to the public and facilitating the exchange of cyber-threat details with and among the private sector to increase awareness and help everyone defend themselves. Robust privacy protections are necessary for any information-sharing arrangement, but the increased data security that results from sharing is vital for the prevention of the wholesale theft of private information that occurs every day. And it is not just Americans’ personal data at risk — foreign competitors steal billions of dollars’ worth of intellectual property a year, jeopardizing our competitive edge in a global economy.
While the DNSChanger program inconvenienced many users, like most viruses it did not threaten significant damage to our national economy. However, a different approach is needed for a limited group of industries on which we most rely for our economic security and physical health: our critical infrastructure.
Legislation and other proposals that I and cybersecurity advocates have authored would create minimum safety requirements for our power grid, water plants and sectors with similar effects on our daily lives. These industries have made remarkable strides in efficiency and automation by attaching control systems, which run everything from power plants and oil pipelines to heating and heavy machinery to the Internet.
Unfortunately, many of these systems are uniquely vulnerable. Over years of review, we have found that too many operators have put profit ahead of public safety, forgoing basic protections and playing Russian roulette with the prospect of highly damaging attacks that could leave millions without power, safe water or other basic needs. Meanwhile, it is the American taxpayer who would ultimately be left to deal with the aftermath and pay the potentially astronomical cost of damages.
When special interests mischaracterize minimal standards as onerous regulations, they ignore the limited number of industries affected and the devastating consequences of a successful attack on one of these select companies. Opposition groups are so fixated on their anti-regulation dogma that they ignore the effects on millions of people.
The public benefits of minimum standards for cybersecurity far exceed the costs to critical infrastructure owners and operators. Such standards should be established with significant industry input and with maximal flexibility to take into account the ever-changing world of cyberspace.
But it is abundantly clear that the status quo is not acceptable. In recent remarks about the likelihood of a successful major attack on our critical networks, Gen. Keith Alexander, head of U.S. Cyber Command and the National Security Agency, was blunt, saying: “I do think that’s coming our way. You can see this statistically; the number of attacks is growing.”
Unlike in the case of disruptions such as DNSChanger — caused by a few profit-seeking criminals in Estonia — we can’t wait to act until after an attack by a terrorist group or an enemy state hits our critical infrastructure.
Besides risking serious physical and economic damage, or even the loss of American lives, delaying reforms until after a major incident will likely mean an overreaction to cyber-threats after we are hit. If we make improvements now, we can take a limited-government approach to cybersecurity that preserves the openness of the Internet and raises awareness about noncatastrophic threats, while compelling our most vulnerable and valuable industries to guard against a truly destructive attack.
Rep. James Langevin (D-R.I.) is co-founder of the Congressional Cybersecurity Caucus and ranking member on the Armed Services Subcommittee on Emerging Threats and Capabilities.