By Brendan Sasso - 03/17/12 02:49 PM EDT
Lawmakers and administration officials have warned of potentially catastrophic consequences if Congress doesn't pass cybersecurity legislation this year, but some observers question whether the rhetoric is overblown.
"Think about how many people could die if a cyber terrorist attacked our air traffic control system and planes slammed into one another," Sen. Jay Rockefeller (D-W. Va.) testified at a Homeland Security and Government Affairs Committee hearing last month. "Or if rail-switching networks were hacked — causing trains carrying people, or hazardous materials — to derail and collide in the midst of some of our most populated urban areas, like Chicago, New York, San Francisco or Washington."
"The system is blinking red – again. Yet, we are failing to connect the dots – again," Lieberman said.
Senior administration officials, including Homeland Security Secretary Janet Napolitano and FBI Director Robert Mueller, performed a classified demonstration of how the government would respond to a cyber attack on the New York City electrical grid in front of dozens of senators earlier this month.
“The simulation was realistic and illustrated just how dangerous inaction on cybersecurity legislation can be,” Rockefeller said. "If we don’t take these steps now, we’ll be back at this again at some point in the future, only it won’t be an exercise.”
The hearing and demonstration were part of a push for Congress to pass the Cybersecurity Act, a bill authored by Sens. Lieberman and Susan Collins (R-Maine) that would give the Homeland Security Department the authority to require that critical private computer systems meet certain security standards. The bill would also encourage private companies to share information about cyber threats with the government.
Sen. John McCain (R-Ariz.) agrees about the threat of a cyber attack, but says the Lieberman-Collins bill would impose burdensome regulations on businesses. He has introduced an alternative bill, the Secure IT Act, that focuses on information sharing.
Jerry Brito, director of the Technology Policy Program at George Mason University, said the "rhetoric does not match the reality" on cybersecurity.
"When members of Congress talk about [cybersecurity] they conflate the different threats," Brito said.
He explained that cyber espionage is a "very real" problem that is "happening right now." Companies and foreign governments are hacking into the computer systems of American companies to steal their trade secrets and gain a competitive advantage.
But Brito said the likelihood of a cyber attack having a major "kinetic effect"—meaning significant physical destruction—is low.
He said he doubts that terrorist groups or hacker collectives like Anonymous have the sophistication to takedown critical infrastructure systems.
Foreign governments, such as Russia or China, could probably wreak havoc with a cyber attack, Brito said, but they would likely only employ that tactic if the U.S. was already engaged in all-out war with them.
Brito said comparing a potential cyber attack to Sept. 11 or Pearl Harbor is "totally hyperbolic."
"We should be wary of people who are trying to make us afraid," he added.
But James Lewis, the director of the Technology and Public Policy Program at the Center for Strategic and International Studies, said "no serious analyst doubts the risk anymore" of a cyber attack.
"There are people who are naturally skeptical about anything the government says and there are the ones who are paid to be skeptical," Lewis said, but he claimed almost everyone else has accepted the seriousness of the situation.
He explained that some of the most frightening evidence of the county's vulnerability is likely classified, so it can be difficult to convince the public of the risk.
He said in 2007, the Homeland Security Department publicly demonstrated that terrorists could use software to cause machinery to break into pieces. Lewis estimated it would cost a terrorist group between $100,000 and $500,000 to acquire the technology to disrupt critical infrastructure.
"I don't think it's exaggerated," he said
Lewis said the Lieberman-Collins bill takes a "data-driven approach" to addressing cybersecurity.
"If you take a faith-based approach, you can do whatever you want. Then you can use an information sharing approach," Lewis said, referring to the McCain bill.
He said the memory of Sept. 11 looms large for many of the lawmakers pushing cybersecurity legislation.
"There were several years of warning that something like that could happen, and we didn't take action," Lewis said. "Some of these guys are really haunted by that."