Remember the FOX game show from a few years ago, "Are You Smarter Than a Fifth Grader?" Well, the Senate has its own version of this going on right now with the Cybersecurity Act of 2012 (S. 3414). On August 2nd, the bill failed to win a crucial "cloture" vote in the Senate that would allow a vote to be taken on the bill before the August recess.
Sometimes, things that are quite obvious to everyone else aren't so clear in the political confusion of Capitol Hill.
There have been a slew of cyber bills proposed this year, from SOPA and PIPA to CISPA -- but none have been as significant as the CSA bill, sponsored by Sen. Joe Lieberman and supported by the Obama Administration, which focuses on the protection of critical infrastructure systems from cyber attack.
Here's why this bill is important:
- It's the only bill proposed in Congress that protects America's most urgent need -- critical infrastructure systems (CISPA focuses on sharing information between big companies and the government, including private user data)
- Why is this important? If you like having electricity, safe nuclear power plants, clean water, wastewater treatment, working railways and 'sound' financial networks, then protecting them from increasingly sophisticated and dangerous cyber attacks is kind of important.
- Currently, these facilities and networks are not as secure as they should be. The National Security Agency's Gen. Keith Alexander recently stated that cyber attacks against infrastructure are up 1,700% since 2009 -- and while that is meaningless as a statistic, his continued outspoken support for efforts to regulate critical infrastructure show how important this issue is to the U.S. military and intelligence communities.
- Hacking power plants isn't a theoretical problem. According to public reports, the United States demonstrated the ability to cause physical damage with its Stuxnet worm against Iran. Hacks against SCADA-based systems, which is what power plants or any other industrial facility run on, have been demonstrated at a number of recent hacker cons -- including last year's Black Hat, where Dillon Beresford demonstrated a homemade hack that took advantage of flaws in Siemens software.
- As Gen. Alexander pointed out, we don't want to go to war with an exposed flank. That's military common sense. Yet America's critical infrastructure presents a huge open target for our enemies.
The key hangup for this bill is that its solution is unprecedented. Until now we've never viewed private industries, like FPL, Duke Energy, Exxon and NASDAQ, as being responsible for the nation's defense. But that's just what this bill does -- it recognizes "critical' industries like energy, transportation, emergency services and financial networks, as the new targets in the cyberwar battlefield and requires them to upgrade to military-style defense. This won't be easy, but it's the right thing to do. For the first time ever, rival nations now have the ability to launch relatively easy "kinetic" attacks on U.S. soil, complete with plausible deniability. This is the new world we live in.
In the debate over CSA, two main arguments have been raised against it -- but here's why they're wrong:
- It Creates an Unfair Cost for Businesses - Business advocates argue that the cost of compliance will be onerous for private businesses. Here's the problem with this logic: the government isn't inventing the threat of cyber attack. It's real, it's out there and it's already happening. Private companies will have to adopt these defensive solutions any way to protect their own operations and profits -- and, believe me, the downtime, damage and litigation costs resulting from a sophisticated cyber attack far outweigh the expense of securing your networks to begin with. Overlooked in this debate about cost is the fact that the CSA bill offers liability protection which will actually reduce costs.
- The Private Sector Can Do It On Its Own - It's a commonly heard argument that private industry knows best and government regulation just gets in the way. On some issues that might make sense, but not when it comes to defending against hostile nation-states. No company is able to shoulder the burden of anticipating a sophisticated global cyberattack from countries ranging from China to Iran. Just ask Google, which suffered under the "Aurora" attacks and pulled out of China as a result. The only alternative to government regulations would be an industry standard -- such as PCI compliance, which is the credit card industry's cybersecurity policy. But industry solutions end up as 'bare minimums' instead of aggressive and comprehensive solutions. After all, how well has PCI compliance protected our credit cards?
Although CSA has turned into a highly partisan issue, there has been bipartisan support for it. The bill is co-sponsored by Republican Senator Susan Collins, for one. And in June, several high-ranking government officials (all Republican appointees from the previous administration) sent a letter in support of government-backed cybersecurity standards: CIA director (and DIRNSA) Michael Hayden, former homeland security director Michael Chertoff, former director of national intelligence Mike McConnell and former assistant Defense secretary Paul Wolfowitz. For the political junkies among us, you'll recognize that Hayden is no friend to this administration and is in fact on Governor Romney's advisory board.
The bottom-line is that CSA is much-needed right now to protect America's critical infrastructure systems from potentially devastating and costly attacks. Unfortunately, it's unlikely to overcome these political obstacles. As is typical with legislative actions, it's probably going to take a real-world incident to motivate both sides to come to the table.
Dave Aitel is CEO of Immunity Inc., an offensive security firm serving Fortune/Global 500s and government agencies around the world. A former 'computer scientist' for the National Security Agency, Dave is a prominent cybersecurity expert who specializes in 'ethical hacking.' Dave's company is a contractor on DARPA's Fast Track cyber weapons program. www.immunityinc.com