A gold standard in cyber-defense
By Joe Lieberman, Susan Collins and Tom Carper,
The history of Internet security is both worrisome and instructive. When the first virus — the “Morris worm” — was launched in 1988, the Internet was a closed system of 60,000 computers used almost exclusively by academic, government and military researchers. Morris used known vulnerabilities in communications software to knock offline about 10 percent of the computers tied to the Web. The cry immediately went out for greater security, but complacency soon set back in.
Today, the Internet has more than 2 billion users — one in every three people on the planet. It is a nearly indispensable tool of modern life. But consider just a few high-profile victims of successful computer intrusions in recent months: Sony, Citigroup, the International Monetary Fund, the Gmail accounts of high-ranking U.S. officials and the computer security company RSA — an intrusion that seems to have played a part in later attacks on Lockheed Martin and perhaps other defense contractors that use RSA products.
Also lurking in the digital ether are computer viruses and worms, like Stuxnet, that could commandeer industrial control systems used to operate the valves and switches in nuclear power plants, pipelines, commercial manufacturing facilities and other critical infrastructure, and force them to shut down or perform dangerous operations.
Despite this known danger, the security firm McAfee and the Center for Strategic and International Studies found in 2010 that only 35 percent of the owners of critical systems had checked to see if Stuxnet had invaded their networks, even though 40 percent of those that did check found their systems were infected.
At his Senate confirmation hearing last month, Defense Secretary Leon Panetta warned that the “next Pearl Harbor we confront could very well be a cyber-attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems.”
Legislation we have proposed would help strengthen our digital infrastructure against these kinds of exploits by creating a “gold standard” in cyber-defenses from the most sensitive networks to personal computers.
We would start by giving the Department of Homeland Security (DHS) statutory authority to work with industry to identify and evaluate the risks to the country’s most critical cyber-infrastructure — those systems that control power plants, electric grids and pipelines, all of which, if hacked, could lead to human and physical destruction and economic havoc.
Once those risks have been identified, owners and operators would select security measures to safeguard their systems. These plans would be reviewed by DHS cyber-experts to ensure they improve security. Our legislation would provide liability protection for owners and operators who are in compliance with their approved security plans.
This framework would produce cybersecurity “best practices” that would then be available as a model for the private sector. While such use would be voluntary, the development of better security techniques and the creation of industrywide standards of care would lead commercial networks to install them as a way to keep customers and draw in new ones.
Imagine the bank that has to explain to its customers — or to a court of law — that customer account information was stolen because it did not implement readily available security measures.
Some technology companies ship products with inadequate regard for security, figuring flaws can be plugged later. Our bill would encourage the federal government to do business only with companies that bake in security from the outset and avoid those that try to bolt it on later. The federal government’s purchasing power would help prod the market to produce more secure products, which would also be available to non-government consumers.
Our bill would also give DHS the statutory responsibility to ensure that the federal government is sharing threat, vulnerability and mitigation information with the private sector. Many companies want to protect their systems but are hard-pressed to determine just what they are protecting against and do not know who in the government can assist them. DHS should coordinate the information flows within the government as well as between government and the private sector.
There is no such thing as 100 percent security, on- or offline, but we must strive to strengthen our defenses against those who are constantly working to do us harm. There are some in Congress who resist taking action on cyber-threats this year, but we must put partisan politics aside, given the danger of this threat.
The alternative could be a digital Pearl Harbor — and another day of infamy.
Joe Lieberman is an independent Democrat from Connecticut. Susan Collins is a Republican from Maine. Tom Carper is a Democrat from Delaware. They serve respectively as chairman, ranking member and member of the Senate Homeland Security and Governmental Affairs Committee.