IN A RECENT briefing to Congress about worldwide threats, FBI Director Robert S. Mueller III said that the danger of cyberattacks will equal or surpass the danger of terrorism “in the foreseeable future.” What makes that assessment particularly alarming is that the United States may be as unprepared to defend some of its critical computer systems as it was to protect New York and Washington against al-Qaeda before Sept. 11, 2001.
Though the Pentagon has a cybercommand, it does not cover the domestic civilian economy, including vital infrastructure systems such as the electric power grid, water supplies and the financial system. Many of the computers controlling those utilities lack adequate security measures and could be devastated by viruses launched by hostile states or even hackers. As it is, U.S. companies, from defense contractors such as Lockheed Martin to e-mail carriers such as Google, are under continual assault from China and Russia, which seek to steal industrial or national security secrets and probe for infrastructure weaknesses.
Congress and the Obama administration have at least recognized the problem: Both have spent years studying it and have drawn up detailed proposals for hardening U.S. cyberdefenses. Like so much in Washington, action has been slowed by political gridlock; yet senior legislators in both parties have committed themselves to passing legislation. In fact, cyberdefense could be a signature achievement of this election year, if a few more senators can set aside partisanship and special interest appeals.
The most important – or at least, the biggest – legislation is emerging in the Senate under the sponsorship of Joseph I. Lieberman (I-Conn.), Susan Collins (R-Maine), John D. Rockefeller IV (D-W.Va.) and Thomas R. Carper (D-Del.). It is packed with provisions and updates to outdated legislation, but its most important sections would provide for information sharing by the government and private companies and mandate better security for critical infrastructure. (A couple of overreaching provisions in earlier legislation, such as authority for the president to shut down Internet traffic in a crisis, have been dropped.)
Both areas are contentious. Fresh from blocking legislation on Internet piracy, some net purists are denouncing provisions that would make it easier for companies to tell each other, and the government, about security breaches and ways to prevent them – and mandate reporting in the event of breaches of critical infrastructure. While there are legitimate civil liberty concerns, it is essential that companies are able to share information about stolen data and other cyberattacks without compromising individual privacy or exposing themselves to government sanctions.
Cooperation between the government and private companies is also badly needed to ensure protection of power and water plants, banking networks, and other infrastructure essential to modern society. The Senate legislation rightly gives the Department of Homeland Security (DHS), rather than the Pentagon, authority in this area and lays out an appropriately narrow definition of computer systems to be supervised: those whose interruption could cause “a mass casualty event”; “the interruption of life-sustaining services;” “mass evacuations”; or “catastrophic economic damage to the United States.”
Firms with such systems would be required to work with DHS on a security plan and to submit, or submit to, an audit on its effectiveness; those that fail to comply could be fined. The U.S. Chamber of Commerce and several Republican senators have objected to such DHS authority, claiming it amounts to unnecessary and costly regulation. But in the absence of government supervision, critical systems have remained unprotected. To accept the status quo would be an unacceptable risk to U.S. national security.