1. The threat is real and the nation is unprepared. All the sound and fury about the possibility of a “cyber Pearl Harbor” may seem a bit overwrought, but the harsh truth is cyber weapons that could harm Americans or wreak havoc on the American economy do exist. Indeed, the vulnerabilities in the critical systems that support our way of life may actually be worse than many experts fear. A sophisticated attack could impact power and water for a more prolonged period and across a wider geographic area than did Hurricane Sandy. Worse yet, even a relatively simple intrusion could cause major economic disruption and put lives at risk.Congress has the authority to put preventive safeguards in place to help protect the Nation from a major cyber incident.
2. It’s a bipartisan bill. The American public spoke overwhelmingly in favor of bipartisan compromise last Tuesday. The Cybersecurity Act of 2012 represents years of work by a bipartisan group of Senators to address the number one cyber concern: critical infrastructure vulnerabilities. In fact, an early version of the bill received unanimous support by the 9 Democrats and 8 Republicans on the Senate Homeland Security and Government Affairs Committee. The bill is also consistent with the comprehensive principals outlined by the House Republican Cybersecurity Task Force in 2011. Taking action on a national security issue that has bipartisan support would send a strong signal that Congress got the message November 6 and is ready to start doing what the entire Nation wants it to do – put country ahead of party.
3. It strikes the right balance between protecting privacy and facilitating information sharing. Making it easier for the private sector and government to share information about cyber threats is a necessary step. Although improved information sharing is not a panacea and cannot magically plug the holes in many of the nation’s critical infrastructure control systems, it is an important enabler for the government and private sector to respond more nimbly to cyber theft and attacks. However, Benjamin Franklin put it best when he said “they who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” Any legislation has to include strong safeguards to protect privacy and civil liberties, and the Cybersecurity Act of 2012 does just that. Leading civil liberties groups have praised the protections in the bill, while the head of the National Security Agency has also strongly supported it. If the Intelligence Community and the civil liberties community can find common ground on a national security issue, it would be tragic to let this opportunity pass by for partisan reasons.
4. It’s entirely voluntary. Earlier versions of the bill included mandatory security for the most vital of critical infrastructure entities, but in the hopes of gaining more Republican and corporate support, the sponsors stripped those provisions. Nonetheless, the bill is still a good starting point for the country to begin to address the significant risks to public safety. Many of the Nation’s critical infrastructure owners and operators have shown themselves to be unable or unwilling to adequately address their cyber vulnerabilities without Federal guidance. The Cybersecurity Act of 2012 would give infrastructure owners clear, non-prescriptive guidance and would focus their attention on a problem they have neglected, which has in turn put the entire Nation at risk. If Congress fails to act on legislation, the president should do as much as possible under existing legislative authority. An Executive Order will likely end up looking similar to the Cybersecurity Act of 2012 but without new liability protections to incent private sector participation.
5. It’s the best deal corporate critical infrastructure owners and operators are ever going to get. The current dismal state of the country’s critical infrastructure defenses makes key systems a big, easy target. Sadly, in the absence of action, a major attack is probably inevitable, and everyone knows what lawmakers do after a catastrophic event: they pass draconian measures. Critical infrastructure cybersecurity legislation is inevitable – either before an attack or after. The Cybersecurity Act of 2012 is voluntary and includes generous liability protection incentives for companies to encourage the adoption of cybersecurity improvements. It’s hard to imagine a better deal.
Finan is a consultant for Department of Defense cyber technology development programs and formerly served in the Obama Administration focusing on cybersecurity legislation.