The current debate revolves around a simple concept: how do we keep hackers and foreign intelligence agencies from shutting down our electric grid, controlling our railroad switches, or manipulating financial transactions? About 85 percent of what’s known as “critical infrastructure” is owned by private entities, many of which have already been the victim of a cyber attack.
This past week, a payment processor for Visa and MasterCard was breached, compromising 1.5 million credit cards. In the spring of 2011, both the Sony PlayStation Network and RSA – a company that provides security systems for the Department of Defense – were hacked. The Sony attack resulted in 77 million personal accounts stolen and the RSA attack cost the company over $66 million to investigate. Last year alone, cybersecurity breaches cost U.S. companies about $100 billion.
There are currently two efforts in the United States Senate to protect U.S. businesses and national interests. The first is a bipartisan bill championed by Senators Joe Lieberman (I-Conn.), Susan Collins (R-Maine), Jay Rockefeller (D-WV), and Dianne Feinstein (D-Calif.), that is over four years in the making. The competing bill – led by Senator John McCain (R-Ariz.) and championed by the Chamber of Commerce – was introduced just this March.
There is a lot in common in the two bills, but the biggest difference lies in how we fortify the large amount of core critical infrastructure that is owned by private companies. The Chamber of Commerce – which was breached by Chinese hackers in May 2010 – would prefer not to require businesses to meet certain standards critical to cybersecurity. The Chamber’s proposal allows businesses to voluntarily share information with the federal government about cyber breaches, an approach that leaves us vulnerable to attack and slow to detect intruders.
The bipartisan approach is better. The proposal would require owners of critical infrastructure to meet minimum security standards and, in exchange, receive only limited liability in the case of an intrusion. That’s a fair deal. This bill would also require companies to report significant breaches to the federal government. In return, they would receive help from the intelligence community in improving detection, prevention, and response techniques.
In March, the Secretary of Homeland Security, Janet Napolitano, and White House counterterrorism advisor John Brennan conducted a classified cyber attack simulation for roughly 25 U.S. Senators. The demonstration played out a scenario in which New York City’s electric system was breached. Senator Rockefeller said “the simulation was realistic and illustrated just how dangerous inaction on cybersecurity legislation can be.”
Cybersecurity legislation may be Congress’s best hope for a significant, bipartisan achievement in 2012— and it’s necessary. The proposals are expected to reach the House floor at the end of this month and the Senate floor in May. Congress should choose the best path forward by finishing the bipartisan work started back in December 2008.
Congress faces yet another fork in the road. Either it can adopt a comprehensive approach, where the business and public sectors work cohesively to deter threats, or it can allow us to remain vulnerable to attack. The government needs to work hand-in-hand with our business community, not put out fires after they ignite. We can rise to the challenges of cybersecurity today by leaving partisan politics out of it.
Matthew Rhoades is the Director of Legislative Affairs for the Truman National Security Project.