Truman National Security Project

National security has become increasingly complex with recent advances in technology. We suffer from hundreds of millions of dollars of credit card losses annually, our companies lose hundreds of millions more in intellectual property theft through cyber espionage, and we have seen recent examples of hacker groups targeting attacks for military specific purposes. Yet our policy has traditionally not kept up with these advances in technology, crime and warfare, and we currently have no legislative framework for comprehensive response in the event of a major national security incident.

Defining the Problem

Take, for example, a cyberattack on a water treatment facility. One might assume this would be impossible; yet these systems could be tampered with electronically and could in turn cause millions of people to become seriously ill. Some of these systems are not secured and they are not adequately protected in existing policy. Nor is it clear what the process should be in the event of this kind of attack – who should be contacted first, and what action would likely be taken. While it’s unlikely that cyberterrorism has become advanced enough that we will experience an attack of this sort in the next week or year, it’s only a matter of time before terrorists become more tech-savvy.

We now have evidence of so-called “logic bombs,” rogue code in many of our critical networks and systems, most likely put there by hackers trained in China or Russia, who may or may not be government affiliated. There is no lead authority on how to respond if an incident such as a power grid outage, a nuclear facility shutdown, or a crippling virus in our financial networks. The Department of Homeland Security is the logical choice for coordinating the civilian response, but that is not currently the case. Information sharing between the public and private sector in order to protect critical infrastructure systems (most of which are privately owned and controlled) has not been streamlined. In either the case of collaboration to prevent attacks or respond to them, there is no clear information sharing stream.

A few weeks ago, Professor Gene Spafford, Executive Director of the Center for Education and Research in Information Assurance and Security, spoke at George Washington University about “Why Fixing Cybersecurity is So Difficult.” He explained that McAfee, the leading computer security company in the world, is “registering 50 new instances of malware per minute worldwide.” (Malware is a catch-all term for any viruses, worms, phishing attempts, or other malicious code that seeks to steal information or harm computers or networks.) This is what we’re up against. And these are only the non-military instances.

The good news is that the White House understands the potential threats. John Brennan, Senior Adviser to President Obama on Counterterrorism and Homeland Security, wrote in a recent Washington Post op-ed that “Last year alone, there were nearly 200 known attempted or successful cyberintrusions of the control systems that run these [infrastructure] facilities, a nearly fivefold increase from 2010.” He added: “For decades, industry and government have worked together to protect the physical security of critical assets that reside in private hands, from airports and seaports to national broadcast systems and nuclear power plants. There is no reason we cannot work together in the same way to protect the cybersystems of our critical infrastructure upon which so much of our economic well-being, our national security and our daily lives depend.”

A growing number of our representatives in Congress also comprehend the magnitude of these threats. We now have a record number of bills under consideration that relate to cybersecurity. The bad news is that while these bills are all well intended, some of them miss the mark, and the balancing of civil liberties will be an ongoing challenge. Moving forward, we need practical bipartisan solutions that address the holes in our physical and virtual cybersecurity infrastructure without threatening privacy and freedom of speech. We also need to find solutions where DHS, DoD, FBI, NSA, OMB and private industry can all work together in the prevention of and response to large-scale cyber attacks. This way we can have a fighting chance at minimizing the devastation that would likely come from this type of attack.

Legislation Under Consideration

Recently, Congress took a closer look at some of the key pieces of legislation on the House side. CISPA, the Cyber Intelligence Sharing and Protection Act of 2011, H.R. 3523, made headlines due to vague language used to describe how information gathered from companies would be obtained and shared. Privacy activists and civil liberties organizations quickly responded that the bill could potentially be interpreted and misused by companies to harm users. Without substantive guidelines of what constitutes a threat, all kinds of personal information could also be stored in various agencies of the government without the knowledge of the individuals who provided it.

A number of amendments were added to the bill before its passage on Thursday, but none of them fully cover the concerns as outlined by opposing organizations like the Electronic Frontier Foundation. The White House has stated that the president will veto the bill as originally written. Many companies like Symantec, Microsoft and Facebook support CISPA – unlike SOPA – which would likely have stifled some in the technology industry. So moving on to the Senate, this legislation still has significant momentum despite serious flaws.

The fate of related legislation is unclear. S. 2151, known as the SECURE IT Act, sponsored by Senator McCain, seeks to protect critical infrastructure but fails to provide for mandatory information sharing. That means any company controlling critical infrastructure systems that doesn’t want to let the government know about gaping holes in its security can be left alone, essentially permitting companies to leave their doors wide open to any kind of cyberattack – from corporate espionage to terrorism. And there are no audits to help companies determine whether they are doing an adequate job securing their networks. In short, this bill doesn’t do much that’s different from where we already are, beyond allowing more voluntary exchange of information, which reduces liability on corporations and could allow for increased government and corporate surveillance.

Most major companies have been hacked at some point, but most companies keep this information private. Publishing attacks can lead to distrust of companies and products, so companies tend to fear sharing that kind of information. The government needs this information to be shared, so it can understand what kinds of attacks are taking place and how they are being attempted in order to properly protect our country from similar attacks. Simply making this a voluntary effort means that most companies will be too fearful or cheap to go to the trouble of reporting cyber incidents, which could save much in the long run.

The only bill currently under review in Congress with substance on critical infrastructure is S. 2105. The Cybersecurity Act of 2012, sponsored by Senator Lieberman and Senator Collins, has received the most support from the White House and the least amount of opposition. This bipartisan bill provides some positive provisions, although it could require some fine-tuning to assuage civil liberties advocates. The Cybersecurity Act has been many years in the works, and it contains sections to protect critical infrastructure, establish lead authority with DHS and allow for very specific cybersecurity information sharing. These changes are critical to moving forward on national security, focusing on our greatest vulnerability, civilian networks.

One of the concerns voiced about this bill is that there should be more specificity in defining threats and threat indicators, but the risk of that approach is similar to that of the software it protects: patching the patches, leading to more holes. Somewhere between broad and specific is a region where we can use detailed technical language to define threats without limiting the ability to prevent and respond to them. The bottom line is we need ways to clearly identify what a real threat looks like without opening up too many opportunities for what could bring on unmitigated surveillance. This needs to be solved before any bill reaches the president’s desk.

Various technology industry interests argue that security is expensive and technology regulation could stifle innovation. These things are generally true; however, in this case, there’s nothing in the bill that pertains to specific technologies. It is important that we remember not to block innovation, but it is also important that we work with technology companies to improve security inside the technology in the first place, not just allow for the easy way out. Too many companies send products to market without adequate testing. The reality is that we’re still running nuclear weapon systems on Windows, an operating system never designed for this work, and which is known to be insecure. We need programs that incentivize the development of secure software in the first place, encouraging greater encryption and authentication so that we have tighter security before the logic bombs get inside.

Present and Future Danger

This is part of the invisible elephant in the room. It’s invisible because most policy makers do not know how to properly envision cybersecurity as an overarching concept. For example, in any given computer, there may be only a few visible external physical ports where information can come in, but each computer’s operating system software has thousands of ports, any of which can be compromised if not properly secured. Firewalls can help in this area, but they must be configured properly. It’s not like a physical wall with one room behind it. Instead, picture a wall with tiny holes, each of which can connect to a small network of rooms that lead to the main chamber. Multiply this by the thousands of computers that are connected to critical infrastructure in this country – 85% of which are owned and operated in the private sector, where we have little to no control over how secure the systems are – and you begin to get a sense of the problem.

The Cybersecurity Act addresses a positive step in a very long process of working toward true network security. In order to achieve success of any measure, we also need preventative strategies: improved security education, expanded research and development, controlled information sharing and clear authority to regulate behavior. Training people to be smarter and to develop better technology is key. The government used to develop its own software, but due to costs, we stopped. Now we’re dependent upon foreign-made and/or insecure products, often years out-of-date. Making these changes is not inexpensive. The cost of a large-scale cyberattack, however, could easily reach into the billions. And while we cannot afford to take on every aspect of this problem at once, we must get started, because our continued inaction will mean a much larger gap between where we are and where we should be in order to achieve real security.

America needs a clear, coherent set of protections for public and private sector organizations managing our critical infrastructure. This must remain a top legislative priority in the short and long term. The process for developing these protections should be inclusive and collaborative, with checks and balances solidly in place within government and the private sector. We need investment in security research, development, and education. And we need to come together and agree upon information sharing without surveillance or invasion of privacy. Working together in a spirit of bipartisanship with technical experts and civil liberties advocates, we can find solutions, pass The Cybersecurity Act of 2012, and take an important step toward greater safety and security.

Sarah Granger is a Truman Security Fellow and co-chair of the Truman Cybersecurity Expert Group.

=================================

Additional Resources:

Washington Post op-ed -

http://www.washingtonpost.com/opinions/time-to-protect-against-dangers-of-cyberattack/2012/04/15/gIQAdJP8JT_story.html

CNET article re: CISPA amendments -

http://news.cnet.com/8301-31921_3-57420610-281/proposed-cispa-amendments-do-little-to-appease-critics/

Malware definition -

http://en.wikipedia.org/wiki/Malware

CISPA info -

http://www.opencongress.org/bill/112-h3523/show

S. 2105 Cybersecurity Act info -

http://www.opencongress.org/bill/112-s2105/show

EFF criticism -

https://www.eff.org/deeplinks/2012/03/dangerously-vague-cybersecurity-legislation