Sen. McCain's cyber bill will still leave us vulnerable

The Pacquiao-Bradley decision was, no doubt, costly. Pacquiao lost his WBO Welterweight title and Ireland’s largest telephone betting service granted refunds to everybody who bet on him in what they described as a “justice payout.”

ADVERTISEMENT
I do not disagree with Senator McCain that boxing should be better regulated. What I have a hard time understanding is why Senator McCain feels it is so important to set minimal standards for boxing—but not for the country’s critical infrastructure, which he would prefer to leave at risk.

General Keith Alexander, Commander of U.S. Cyber Command, wrote Senator McCain directly warning him that “a purely voluntary and market driven system is not sufficient” to protect critical networks. Despite these warnings, Senator McCain still does not want to ensure that our vital systems are secure. His approach to cybersecurity leaves the networks that our society depends on vulnerable.

In March, Senator McCain introduced the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology (or SECURE IT) Act of 2012. The focus of the bill is to improve information sharing on cyber threats so entities can protect themselves from ongoing and developing cyber attacks. Unlike his boxing legislation, the SECURE IT Act does not set “basic uniform standards” for the nation’s critical infrastructure.
Critical infrastructure is comprised of systems so vital to the United States that a disruption would have a debilitating effect on national security, the economy, or public health and safety. In layman’s terms, critical infrastructure is everything from power grids to hospitals to financial institutions.

Recently, a homemade computer search engine gathered data on millions of devices (including computers that control water plants, power grids, and a nuclear particle accelerator) over a two year stretch and copied their locations and software systems, exposing vital information to hackers. The program, called Shodan, was the work of a single community college student in California.

Attacks on our critical infrastructure are a regular occurrence. In May, the Department of Homeland Security announced there was a coordinated cyber attack on gas pipeline delivery systems. The Nuclear Security Enterprise reportedly experiences up to 10 million cyber "incidents" each day and, in 2009, cyber criminals stole more than $100 million from U.S. banks.

According to information technology executives surveyed in a McAfee and CSIS study, 80 percent of critical energy infrastructure systems have been the victim of a cyber attack. The FBI's Cyber Task Force estimates that the total number of cyber attacks in the United States ranges in the tens of thousands per day.

These are just a few examples in a long line of attacks and intrusions. Recently, the Director of Intelligence at U.S. Cyber Command warned there currently is “a global cyber arms race.” And according to the FBI, at least half a dozen foreign countries are penetrating American business and military computer systems.

A better approach is to have the business community work with cybersecurity experts in the federal government to create minimal security standards for critical infrastructure. The standards would be industry-driven, ensuring that we are protecting our networks without damaging the business community’s bottom line. A bipartisan bill in the senate—the Cybersecurity Act of 2012—would do just that.

Voluntary security standards leave a weak link in the chain that intruders will continue to expose. With cyber capabilities proliferating globally, it is important that we protect our networks now. Senator McCain’s bill takes a weak stance and leaves us vulnerable. The man who frequently tells the president to listen to his generals on the ground should take his own advice and change course.
 
Rhoades is the director of legislative affairs for the Truman National Security Project, the country’s only progressive national security leadership institute.