Still not doing enough to defend our systems

Getty Images

During the last holiday season, tens of millions of American consumers received a jarring lesson on the vulnerability of our country’s information and payment systems. As consumers were doing their post-Thanksgiving shopping at Target and other retailers, foreign hackers who had penetrated the retailers’ cyber defenses were systematically stealing their credit card and personal information.

Some of the costs of the Target breach are easy to calculate, such as the approximately $200 million that banks have spent so far replacing stolen credit cards and the $60 million Target has spent responding to the breach. These costs will continue to mount in the coming months.

But the harm caused by these breaches doesn’t end there. The breaches have damaged the brands of Target and the other retailers whose systems were breached, and, perhaps even more seriously for our economy, American consumers’ confidence in the security of our financial payments system has been shaken. Since the breaches were made public in December, millions of Americans have been carefully scanning their credit card bills and credit reports for fraudulent charges or evidence of identity theft.


Since I have been chairman of the Senate Commerce Committee, I have been urging U.S. businesses to do a better job protecting their customers’ personal information and responding to data breaches when they occur. Companies that collect sensitive personal information from their customers — including credit card numbers, email addresses, passwords and dates of birth — have to take responsibility when they lose control of this information. When consumers’ personal data ends up, through no fault of their own, in the hands of criminals, they are in a very vulnerable position. We cannot let the companies responsible for these breaches off the hook for the damage caused to consumers.

Last month, I joined with several of my colleagues in introducing the Data Security and Breach Notification Act. This legislation would give consumers the peace of mind that companies are doing everything possible to protect and secure their personal information. The bill would create, for the first time, a federal standard for companies to safeguard consumers’ personal information. This legislation would also make sure that companies quickly notify consumers if those systems are breached.

The recent data breaches at Target and other retailers also remind us how important it is for companies to communicate honestly with their investors about their cybersecurity problems. A cyberattack is a clear material risk to any business. I am glad that the Securities and Exchange Commission (SEC) appears to be in the process of rethinking how companies disclose information, so investors have a better picture of cyber risks and incidents. Last year, I asked SEC Chairwoman Mary Jo White to issue commission-level guidance to spur companies to take their cybersecurity efforts seriously. It would go a long way toward giving investors, and consumers, more complete and timely information about cyber incidents such as data breaches.

Whatever the recent retailer data breaches end up ultimately costing our economy, they pale in comparison to the damage a successful cyberattack against our critical infrastructure would cost. The sobering prospect of a cyberattack on a major utility, port, pipeline or transportation network in our country has motivated me and other members of Congress in both parties to work hard to improve both the public and the private sector’s cyber defenses. Our national security experts almost unanimously view cyberattacks as one of the greatest threats to our country’s national and economic security.

I am disappointed that Congress has not yet been able to pass a bill that presents a comprehensive policy response to the cyber threat, but I am encouraged by the progress security experts in the public and private sectors have recently been making on this issue. For example, in response to President Obama’s February 2013 executive order, the National Institute for Standards and Technology (NIST) and a wide array of industry groups collaborated to produce the Framework for Improving Critical Infrastructure Cybersecurity, a document that will allow businesses and government agencies of all sizes to evaluate and improve their cybersecurity.

Anticipating the release of this important Cybersecurity Framework document, in July 2013, the Senate Commerce Committee reported a bill, the Cybersecurity Act of 2013, that gives NIST an ongoing role in developing and updating cybersecurity standards. This bill also encourages our federal science agencies to sponsor cybersecurity research, training and education efforts. I was pleased that this bill, which I introduced with the committee’s ranking member, Sen. John Thune (R-S.D.), garnered the support of many different industry sectors and passed out of our committee with bipartisan support.

But let’s not kid ourselves. In spite of these recent actions, our country still remains vulnerable to cyberattacks. We are still not doing enough to defend our systems against our adversaries. Whether we do it through legislation or voluntary efforts, the public and private sectors must work together more closely and invest more money in protecting our information systems.

In the same way our industrial sectors have developed a strong “culture of safety” in their workplaces, we have to create a “culture of cybersecurity” in which security becomes an integral part of writing software, designing systems and training employees. Until we accomplish this change in our culture, we should expect the headlines about damaging cyberattacks against our government and our businesses to continue.

Rockefeller is the senior senator from West Virginia, serving since 1985. He is chairman of the Commerce, Science and Transportation Committee, and he sits on the Finance, the Intelligence, and the Veterans’ Affairs committees.