August 21, 2012
President Obama is incensed that Congress failed to pass the Cybersecurity Act of 2012 and is once again considering enacting some of the bill’s measures through executive order. While the president is right to call cyber threats “one of the most serious economic and national security challenges we face,” the legislation he championed would not protect us.
It calls for companies managing our power plants and stock exchanges to meet only minimal security standards while burdening those firms with costly compliance requirements. Moreover, it grants compliant organizations legal immunity in the event of an attack. In other words, companies would have arguably less incentive to truly protect our critical infrastructure than without the law. Passing the bill would have been another “checked box” for the White House and for Congress – nothing more.
Skeptics question whether the slow-moving federal government is capable of combating the invisible hydra-headed colony of Chinese or terrorist computer hackers constantly probing our computer networks. It’s like the British Redcoats during the Revolution, lining up in proper formation and firing off orchestrated volleys from their unwieldy rifles. They were no match for Colonial squirrel hunters darting between trees and refusing to play by the rules.
A leading security and information management company called nCircle asked techies at a recent gathering if government regulation would improve information security for critical infrastructure. Sixty percent said “no.” Lamar Bailey, nCircle’s director of security research, explained in a press release that Congress doesn't have the technical expertise to craft cybersecurity laws.
“While the U.S. government has some outstanding security researchers, they are confined to the DoD and other cabinet agencies where the focus is on gathering data, not sharing it.” He adds in a phone interview, “Regulations are always geared to the lowest requirements.” Companies might comply, but still not be secure.
Industry doubts are backed by the failure of the government to protect even its own systems and information. Last year, according to the General Accounting Office, there were 15,500 breaches of government agencies -- up 19 percent from the year before. Hackers stole personal info on roughly 123,000 Federal Retirement Thrift Savings Plan participants, for instance, who were not notified of the intrusion for a full ten months.
The head of the agency claimed it didn’t have a notification plan for lack of funding. No problem -- the agency will “address data protection issues as part of its next recordkeeping contract, to be awarded in fiscal 2013.” Welcome to the nimble federal government.
There’s no denying the threat is both real and imminent. In April the Department of Homeland Security (DHS)’s investigative arm issued a warning that multiple gas pipeline companies were under attack from a single entity that was targeting “tightly focused” individuals through so-called “spear phishing.” Apparently the intrusions had gone on for five months.
DHS also warned this spring that a group pretending to be Microsoft was phoning power distribution companies and offering to help fix supposed software glitches by downloading new (compromising) software. Our vulnerability springs from many sources, including commonplace software and widely used industrial control systems that are considered outdated and porous. But – should we put the feds in charge of plugging our leaks?
Network World reports that at the Department of Energy’s Savannah River Site, responsible for nuclear-weapons-related processing, one manager said it was impossible to scan the operating software for breaches for fear the system could crash. Also, he said that “Passwords are shared” and only changed once a year. Note -- this is at a federal site.
These are frightening developments and President Obama is right to sound the alarm. Unfortunately, the Cybersecurity Act is not the answer.
What to do? Jody Westby, CEO of Global Cyber Risk, opposes the Cybersecurity Act, claiming that its so-called “voluntary” security requirements would quickly become mandatory for a vast number of already-regulated firms – not to mention expensive and of questionable value. “It’s another instance of government inside business, and another unfunded mandate,” Westby says. “It would have led to companies spending a lot of money to meet compliance requirements instead of building a better mousetrap.” She thinks Congress should start over.
Westby says that instead of erecting new regulations, the government should play a more active role in setting international standards, train law enforcement and judicial personnel in prosecuting cyber crimes, help critical infrastructure companies defend against hacking, offer tax credits to companies that invest in information security programs and require public companies to include in their SEC reports whether they have adopted industry “best practices.”
Most important is that the government should promote a culture of cyber safety. “It’s like when the government attacked high crime rates in the past. They trained police and educated people to lock their doors and protect their children. We have to change the culture.”
Mr. Bailey says a better dialog between critical businesses and the feds is crucial. “The government spends a lot of time and money on security. They should provide ways to share their information.”
More radical types say this is war, and advocate for aggressive retaliation. Break into enough Chinese companies, power plants and pipeline systems, the thinking goes, and Beijing would have to crack down on their hacker community, or rein in their own authorized intrusions. For all we know, we’re doing just that. Given the evident shortcomings in the legislative approach, let us hope so.