Stepping up defense of net infrastructure

You leave for work and lock the door behind you. You get in the car and fasten your seatbelt. On the highway, you abide by the legal speed limit. These choices reflect a desire for physical security and an awareness, even subconsciously, of potential danger in your daily routine.

But what about the threats we can’t see?

In our personal lives, at work, and in government, the dangers posed online by cyber criminals are very real. Cybercrime and espionage costs $445 billion annually, according to the Center for Strategic and International Studies.

Javelin Strategy and Research reported that 13.1 million Americans were the victims of identity theft in 2013 alone, a figure that has steadily risen in conjunction with increased digital dependence.

We bank, manage our healthcare and shop online. Businesses interact with consumers online and exchange personal financial data. And critical infrastructure like the electric grid and wastewater treatment is increasingly dependent on Internet connectivity.

By now, we have seen glimpses of what a cyberattack can look like. It can reveal private emails of a major company like Sony Pictures Entertainment. It can compromise financial data for customers of a retailer with a household name like Target. As has been demonstrated time and again, attackers can leverage a single point of failure even in well-defended networks to gain greater access. That so many networks have gaping security deficiencies only makes the job of malicious actors easier.

Still, beyond commercial impacts, we have yet to face a worst-case scenario. Our world and our concept of warfare are shifting, and cyberattacks have the potential to cause physical damage just like kinetic weapons. It is a question of when, not if, we will face a serious cyberattack. If a cyber terrorist attacked the electric grid in winter, for example, the cost would be more than financial; it could mean loss of life.

So what do we do about it? Unfortunately, that question has been batted around for far too long. I co-founded the Congressional Cybersecurity Caucus in 2008 and have been calling for stronger cybersecurity measures ever since.

Passage of comprehensive cybersecurity legislation is long overdue, and the United States, quite frankly, has a lot of catching up to do. This problem is not going away, and while it will never be completely solved, it can be more effectively managed. The challenges presented in cybersecurity evolve as quickly as the technologies involved, and we must prioritize this issue.

First, we must pass an information-sharing bill that removes barriers among private companies and between companies and the government. This is by no means the ultimate solution, but strong public-private partnerships are absolutely necessary in cybersecurity.

Voluntary information sharing would help ensure that attacks against one entity could not be repeated against other agencies or businesses. I am particularly encouraged by the Department of Homeland Security’s efforts to make such information sharing more accessible.

One of the few Congressional victories on cyber was the formal authorization of the National Cybersecurity and Communications Integration Center (NCCIC), an entity that has quickly become a focal point for information sharing efforts. The Department of Homeland Security (DHS) has also supported development of Structured Threat Information eXpression (STIX), an open standard to allow machine-to-machine sharing of cyber threat information in real time.

An important part of cybersecurity is resilience, the ability of a network to maintain functionality in the face of a cyberattack. The concept of resilience resonates outside of IT as well. When consumers’ information is stolen, it is vital that they be notified as quickly as possible to reduce the threat of identity theft. That is why I will also be introducing legislation in the very near future to require companies hit by data breaches to notify affected consumers within 30 days.

President Obama has recognized the importance of both of these measures. I applaud him for making cybersecurity a priority and including it in his State of the Union address this year.

In the face of congressional inaction, the president has issued numerous cybersecurity executive orders to help align federal policies and support private industries. Perhaps most notably, the president directed the National Institute of Standards and Technology (NIST) to develop a cybersecurity framework, which provides organizations and businesses with a voluntary roadmap to prioritize and optimize cybersecurity investments. This risk-based approach is absolutely essential to make sure resources are appropriately and adequately allocated to the threat faced. To make our nation more secure, we need everyone to understand how serious this issue is, and the private sector must likewise invest in much-needed protections.

To fortify against cyberattacks, we need the best technology and the brightest workforce. The United States is facing a critical shortage of trained cybersecurity professionals. Our government, our military and businesses across the spectrum urgently need employees with advanced IT skills and an understanding of cyber crime and espionage.

The shortage affects every industry, and as cyber criminals become increasingly capable and dangerous, the demand rises for a skilled cyber workforce. Cybersecurity and systems security programs are on the rise at colleges nationwide, but demand continues to outpace the training available for our next generation cyber defenders.

Eliminating the cybersecurity worker deficit will require targeted federal support both to help accelerate the development of cybersecurity education infrastructure and to encourage K-12 students to get excited about the field. Just as importantly, we must provide adequate funding for researchers both to help close the vulnerabilities that exist today and to build new systems and protocols, and design processes that have cybersecurity baked in.

Cybersecurity is essential to our personal, economic and national security. It touches our lives in so many ways, both seen and unseen.

Cyber criminals pose as significant a threat as the physical dangers we try to avoid each day. And just as we take precautions to protect against home invasion or car accidents, we need, as a nation, to start taking serious cybersecurity precautions. 

Langevin has represented Rhode Island’s 2nd Congressional District since 2001. He sits on the Armed Services and the Homeland Security committees. He co-founded and continues to co-chair the Congressional Cybersecurity Caucus.