Two years after the 9/11 attacks, the Northeast and parts of the Midwest experienced one of the largest, most widespread blackouts in U.S. history. The power outage affected nearly 50 million people, caused 11 fatalities and cost our economy $6 billion.
Telecommunications failed, public transit was inoperable, and in New York City, people feared the worst and rushed into the streets to ask why their world had suddenly gone dark.
That type of scenario is at the top of the list for homeland and national defense leaders who agree that the cyber networks of the nation’s critical infrastructure are sitting ducks for the pernicious acts of criminals, hostile foreign powers, hackers and terrorists. In fact, they report that our enemies are already mapping critical networks, presumably so that if they decide to attack, they can do so swiftly, having already identified vulnerabilities. Given the existential threat to our national and economic security, the Departments of Defense and Homeland Security and intelligence officials are united in their call for minimum cybersecurity standards for the critical privately-owned infrastructure our lives depend on.
Today, the House is set to take up several cybersecurity bills on information-sharing and investing in cyber research and development. None of these bills includes necessary protections for our most critical infrastructure — rejecting the recommendations of Defense Secretary Leon Panetta, National Security Agency Director Keith Alexander and former Secretary of Homeland Security Michael Chertoff, as well as the House Republican Cybersecurity Task Force appointed by House leadership and Rep. Dan Lungren (R-Calif.), who chairs the House Homeland Security subcommittee with jurisdiction over cybersecurity.
Information-sharing is very important. But without protections for critical infrastructure, information-sharing alone is a half measure. It won’t get the job done. Virtually all cybersecurity experts agree with the now-abandoned conclusions of the House Republican Cybersecurity Task Force: if the owners of critical infrastructure systems don’t have the capabilities or desire to act on timely threat information, then sharing real-time intelligence won’t do much good. To effectively protect ourselves from the growing cyber threat, we must require that a small slice of our most critical infrastructure meet risk-based cybersecurity standards.
That’s why we have drafted the bipartisan Cybersecurity Act of 2012 (S.2105). In addition to information-sharing and R&D provisions, the bill includes minimum security performance requirements for the most critical cyber networks. We are proposing that owners of the most vulnerable systems partner with the Department of Homeland Security to develop the performance requirements to keep hackers from entering critical networks through the front door, the back door or any open windows.
Private owners of critical cyber infrastructure would be free to decide how to meet those standards, and if a network is already well-secured, the legislation would impose no additional security requirements.
The system is already blinking red in warning. FBI Director Robert Mueller has predicted that, in the near future, cyberattacks will surpass terrorism as the country’s greatest threat, while Chertoff, who served in the George W. Bush administration, said cyber threats are “one of the most seriously disruptive challenges to our national security since the onset of the nuclear age.”
The Department of Homeland Security has received close to 50,000 reports of cyber intrusions or attempted intrusions into private networks since October 2011 — an increase of 10,000 over the same period the year before. And these are only the intrusions that have been reported to the federal government. Nearly 50 reports of “attempted or successful cyber intrusions of critical infrastructure control systems” have occurred since the president called on Congress to pass cybersecurity legislation during his State of the Union address in late January, according to the White House.
We wouldn’t allow anyone to physically enter our nuclear power plants, airport control towers and utility systems to steal information and manipulate physical controls — so why aren’t we installing the same figurative fences and surveillance cameras to protect our critical cyber networks?
Our legislation would save American jobs, help businesses prosper and protect the ingenuity that built this great nation from cyber theft. Let’s not repeat the failure to act to prevent an attack, as we did before 9/11. This time, let’s raise our defenses before the attack comes.
Lieberman and Collins are chairman and ranking member, respectively, on the Homeland Security and Government Affairs Committee. Rockefeller is chairman of the Commerce, Science and Transportation Committee, and Feinstein is chairwoman of the Intelligence Committee.