Joseph I. Lieberman, an independent, represents Connecticut in the U.S. Senate.
Congress has recessed until after the November elections without passing cybersecurity legislation, which a bipartisan chorus of prominent defense and intelligence officials says is urgently needed to protect our country’s economic and national security.
Director of National Intelligence James Clapper delivered an unvarnished assessment of the threat from cyberattacks when he told Congress in February: “We all recognize [cyberattacks] as a profound threat to this country, to its future, to its economy, to its very being.”
And yet, our cyberdefenses are “woefully lacking,” former national intelligence director Michael McConnell has said. That’s why Sens. Susan Collins, Jay Rockefeller, Dianne Feinstein, Tom Carper and I introduced the Cybersecurity Act of 2012 — to require a minimum level of security for the most critical privately owned cybernetworks, which will be prime targets for attack. But even this was considered “burdensome, job-killing, government regulation” by the U.S. Chamber of Commerce and its allies in the Senate.
In the interest of finding common ground, we reluctantly cut out a central feature of our bill: requiring that minimum cybersecurity standards be applied to the most critical cybernetworks upon which our security depends, such as water and transportation systems, the electric grid, communications systems and financial networks. Instead of mandating that key systems meet minimum security standards, we agreed to a voluntary program with a carrot: liability protections for companies that voluntarily adopt the standards. Still, our opponents refused to budge.
The Chamber of Commerce says that better information-sharing between the private sector and the government will keep us safe from cyberattacks. Our bill contains information-sharing provisions that have received support from industry and privacy and civil liberties advocates as well as from our nation’s military and intelligence leaders.
But information-sharing alone is a half-step, helping only some networks some of the time. If critical infrastructure systems don’t meet standards that give them the capabilities or motivation to act on timely information, or if they fail to gather information about threats to share with others, then sharing information with them in real time won’t do much good.
Many critical systems don’t even have the personnel or technological capabilities to use shared information or to gather information to share with others. A joint study by Verizon and the Secret Service found that 85 percent of all data breaches took weeks to discover and that 92 percent were discovered by third parties — usually law enforcement — not the systems’ owners. The Chamber of Commerce itself was the victim of a sustained, widespread hack by the Chinese, and if the FBI had not informed the chamber, who knows how long the breach would have gone undetected? As Deputy Defense Secretary Ashton Carter pointed out: “There is a market failure at work here. . . . Companies just aren’t willing to admit vulnerability to themselves, or publicly to shareholders.”