President Barack Obama on Thursday called on Congress to pass legislation that protects critical computing infrastructure from hackers, saying cyber threats are “one of the most serious economic and national security challenges we face.”
In an op-ed published late Thursday on the Wall Street Journal's website, Obama said hackers have not yet seriously damaged critical infrastructure, like the power grid or a water treatment plant.
“But foreign governments, criminal syndicates and lone individuals are probing our financial, energy and public safety systems every day,” he wrote.
The president said computer systems that operate vital infrastructure “are being increasingly targeted," citing a water plant in Texas that took its control systems offline last year after a hacker posted a picture of the facility’s internal controls, and hackers who broke into the computer systems of companies that run natural-gas pipelines earlier this year.
Obama warned that future conflicts may involve hackers from other countries bringing down the U.S. banking system, disrupting the flow of clean water at hospitals or causing widespread blackouts.
He urged Congress to pass a revised cyber security bill that was introduced in the Senate on Thursday.
“Today we can see the cyber threat to the networks upon which so much of our modern American lives depend,” he wrote. “We have the opportunity -- and the responsibility -- to take action now and stay a step ahead of our adversaries.”
That bill, the Cybersecurity Act of 2012, creates a public-private partnership to set cyber security standards for critical infrastructure, and gives legal immunity to companies who meet those standards. The bill notably fails to impose regulations to enforce security standards.
In February, Sens. Joe Lieberman (i-Conn.), Susan Collins (R-Maine), John D. Rockefeller IV, (D-W.Va.), and Dianne Feinstein (D-Calif.) introduced a measure that would have given the Department of Homeland Security new powers to require companies that operate critical infrastructure to meet basic security standards.
Many security experts said they worry that private companies won't make upgrades to protect their computer networks without the enforceable regulations in the prior bill.
But many Republicans and business lobbyists, including the U.S. Chamber of Commerce, opposed the previous legislation because it imposed regulations. They argue the regulations would harm the companies that own and operate 85 percent of critical infrastructure.
The sponsors of the revised bill described the legislation as a “good faith effort” to secure enough votes to pass a bill.
Rockefeller said “it’s become clear that some members of the Senate would not support" the previous bill.
“While I still prefer the regulatory approach and believe that it would better protect our country, we are moving forward in the spirit of compromise with an incentives-based voluntary approach because it is a crucial matter of public safety and national security that we do something now to ensure our most critical infrastructure is protected from cyber attacks," Rockefeller said in a statement.
If the Senate passes cybersecurity legislation, that bill will need to be reconciled with legislation that passed the House in April.
The House bill, known as the Cyber Intelligence Sharing and Protection Act, or CISPA, would remove legal barriers so businesses and the federal government can share information about cyber threats. It does not include regulations on critical infrastructure.
The House legislation was criticized by privacy and civil liberties groups, who said its definition of what consumer data can be shared with the government was too broad.
The Senate bill introduced Thursday, however, was praised by privacy advocates. The bill includes amendments that narrow the definition of what information can be shared between companies and the government about cyber threats and says companies will share cybersecurity information mainly with civilian agencies, not with military entities such as the National Security Agency.
“The amendments advance the principle that information shared for cybersecurity reasons should be used for cybersecurity reasons, and not other unrelated governmental goals,” Gregory T. Nojeim, director of the Center for Democracy and Technology, said in a statement.
In his op-ed, Obama threatened to veto "any bill that lacks strong privacy and civil-liberties protections."