Congress is moving swiftly on legislation aimed at beefing up the nation’s cybersecurity infrastructure — but even that may not be fast enough.
The private sector owns or operates more than 80 percent of our critical infrastructure, including our energy, banking and finance and transportation systems. Recent Senate measures, in addition to certain House ones, would give the federal government more involvement to protect that infrastructure.
For instance, the bipartisan Senate Bill 2105 would require owners of the most critical infrastructure to meet certain cybersecurity requirements and give regulatory authority to the Department of Homeland Security. Among other things, it would establish a unified DHS office of cybersecurity.
Federal intervention is needed. The computer worm Stuxnet physically damaged Iran’s Natanz nuclear facility, and its source code is available on the Internet. Many are concerned that a similar worm could be re-engineered to cause damage to U.S. industrial control systems.
The lack of a single catastrophic cyber emergency has created complacency. In the meantime, the Chinese and “hacktivist” groups such as Anonymous continue to bleed us of our intellectual property, data and innovative R&D.
To combat the threat, we need to adopt a radically new mindset.
First, cybersecurity education must be accelerated. There exists only 1,000 people in the entire United States for the most demanding cybersecurity tasks, but between 20,000 and 30,000 are needed, according to James Gosler, the first director of the Clandestine Information Technology Office at the CIA.
Second, cybersecurity legislation, even if it’s not perfect, needs to be passed this year. The legislation needs to keep up with the speed of change. Consider the example of obtaining search warrants. It currently can take the FBI a half-day to receive a warrant to search a malware-infected computer. Yet a bot can take over your computer in less time than it takes for you to type your password.
Third, the explosion in mobile apps and the migration of an increasing amount of data to the cloud introduces a whole new series of security vulnerabilities. Recognizing them is a necessary first step to alleviating them.
Finally, we have to consider radical alternatives, even to the Internet itself. “The long-term solution is not continuing to patch today’s Internet but to begin to construct an alternative secure network for key critical infrastructure that is more easily defended than the open source Internet,” retired Gen. Michael Hayden, a principal of the Chertoff Group and former director of the NSA and CIA, told me.
We must move our mindset to a post digital 9-11 age before a catastrophic cyber event occurs. While threats abound, the innovation we all possess to combat them is far more powerful.
Thomas K. Billington is the chief executive of Billington CyberSecurity, an independent cybersecurity seminar and media company based in Chevy Chase.