Computer attack on Iran nuclear program adds urgency to cybersecurity efforts

The revelation that the United States used a computer virus to damage Iranian nuclear facilities has added urgency to a push in Congress for cybersecurity legislation. 

Top administration officials, such as National Security Agency Director Keith Alexander and Homeland Security Secretary Janet Napolitano, have long argued that the nation is at risk of suffering a devastating cyber attack.

ADVERTISEMENT
A New York Times report earlier this month that a virus destroyed Iranian centrifuges makes those warnings more credible.

"We now know why they were making those predictions," said Noah Shachtman, a nonresident fellow at the Brookings Institution and a contributing editor to Wired magazine. "They were talking about themselves—not what some outside opponent could do to us, but what we were doing to others."

According to the New York Times story, the virus, which became known as Stuxnet, was created in partnership with Israeli officials. The program was launched during the Bush administration and expanded under President Obama. 

"The U.S. has basically endorsed the use of these things publicly, and that does change the game," Shachtman said.

Paul Wolfowitz, a former Deputy Secretary of Defense under President Bush, said he hopes the news of the attack would "put some added urgency" on Congress to pass cybersecurity legislation.

"Maybe it will raise awareness," Wolfowitz said. "I hope we don't have to wait for the cyber-equivalent of 9/11 before people realize that we're vulnerable."

The White House has endorsed a bill from Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine) that would encourage companies to share information about cyber attacks and would require that critical infrastructure systems, such as power grids and chemical plants, meet minimum cybersecurity standards.

But many Republicans, led by Sens. John McCain (Ariz.) and Kay Bailey Hutchison (Texas), argue that the security mandates in the Lieberman-Collins bill would impose unnecessary burdens on businesses.

The debate over whether to regulate cybersecurity has caused the legislation to stall for weeks in the Senate.

In statements provided to The Hill, supporters of the Lieberman-Collins bill argued that the attack on Iran shows the need for the United States to bulk up its own cyber defenses.

“I hope the urgency with which we must treat cybersecurity issues is becoming clear to policymakers," Rep. Jim Langevin (D-R.I.) said. "Putting aside the anonymous sources in that story, we know that foreign adversaries are developing capabilities to harm us and our interests in cyberspace. We must be proactive in strengthening our cyber defenses now, before a major attack, and this requires comprehensive cybersecurity legislation."

He added that the security mandates for infrastructure systems are an essential part of the bill.

"As I have said repeatedly, any proposal that does not include minimum safety requirements for our critical infrastructure is inadequate and does not address the biggest cyber risk for our national security. Voluntary safety precautions do not work and the potential consequences of inaction are unacceptable,” he said.

Leslie Phillips, a spokeswoman for Lieberman, warned that the United States is ill-prepared for a cyber attack. 

"The press has been replete with reports on the insecurity of the cyber domain and in particular the insecurity of industrial operating systems that control the electric grid, water delivery systems, transportation, and other critical services," she said. "All of these reports are a stark reminder that security is inadequate in the online realm upon which we are almost entirely dependent."

But Adam Segal, a fellow at the Council on Foreign Relations, said the attack may actually undermine the moral authority of the U.S. government.

"If the U.S. is trying to get the owners of critical infrastructure to agree to certain standards for security, and it turns out we're creating the malware to attack it, it becomes slightly more difficult," he said

Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council, made a similar point in an article this month.

He said the administration calling for cybersecurity standards is like "an arsonist calling for a better fire code."

But Wolfowitz rejected the argument that the United States is responsible for the creation of cyber warfare.

"The U.S. didn't create the problem," Wolfowitz said. "The problem has been there. Other countries and other non-state actors are capable of doing a great deal of harm."