And yet, our cyberdefenses are “woefully lacking,” former national intelligence director Michael McConnell has said. That’s why Sens. Susan Collins, Jay Rockefeller, Dianne Feinstein, Tom Carper and I introduced the Cybersecurity Act of 2012 — to require a minimum level of security for the most critical privately owned cybernetworks, which will be prime targets for attack. But even this was considered “burdensome, job-killing, government regulation” by the U.S. Chamber of Commerce and its allies in the Senate.
In the interest of finding common ground, we reluctantly cut out a central feature of our bill: requiring that minimum cybersecurity standards be applied to the most critical cybernetworks upon which our security depends, such as water and transportation systems, the electric grid, communications systems and financial networks. Instead of mandating that key systems meet minimum security standards, we agreed to a voluntary program with a carrot: liability protections for companies that voluntarily adopt the standards. Still, our opponents refused to budge.
The Chamber of Commerce says that better information-sharing between the private sector and the government will keep us safe from cyberattacks. Our bill contains information-sharing provisions that have received support from industry and privacy and civil liberties advocates as well as from our nation’s military and intelligence leaders.
But information-sharing alone is a half-step, helping only some networks some of the time. If critical infrastructure systems don’t meet standards that give them the capabilities or motivation to act on timely information, or if they fail to gather information about threats to share with others, then sharing information with them in real time won’t do much good.
Many critical systems don’t even have the personnel or technological capabilities to use shared information or to gather information to share with others. A joint study by Verizon and the Secret Service found that 85 percent of all data breaches took weeks to discover and that 92 percent were discovered by third parties — usually law enforcement — not the systems’ owners. The Chamber of Commerce itself was the victim of a sustained, widespread hack by the Chinese, and if the FBI had not informed the chamber, who knows how long the breach would have gone undetected? As Deputy Defense Secretary Ashton Carter pointed out: “There is a market failure at work here. . . . Companies just aren’t willing to admit vulnerability to themselves, or publicly to shareholders.”
Since Congress has not been able to find common ground on cybersecurity legislation, I appreciate the president’s stated intention to fortify the security of critical cybersystems through his executive powers. We know our adversaries are already stealing valuable intellectual property and exploiting our critical infrastructure to prepare for attack. Under the Homeland Security Act of 2002, the Department of Homeland Security has clear authority to conduct risk assessments of critical infrastructure, identify the systems or assets that are most vulnerable to cyberattack, and issue voluntary standards for them to maintain adequate cybersecurity.
Executive action is not the best way to protect the United States from cyberattacks. Without congressional action, the president cannot offer liability protections to industry to reward compliance with voluntary security guidelines. Nor can he require industry to report major cyber-intrusions. But the president can encourage owners of critical infrastructure to improve their cybersecurity by identifying systems and assets that pose the greatest risk and recommending measures necessary to protect them.
Our nation’s security interests should not be at the mercy of congressional inaction. An array of current and former homeland security secretaries, National Security Agency chiefs, CIA directors, national intelligence directors, Joint Chiefs of Staff and others who know the extent to which our most critical cybersystems have been infiltrated have called on Congress to act. We fail to listen at our peril.
In a letter to the Senate majority and minority leaders this summer, former homeland security and defense officials Michael Chertoff, Michael McConnell, Paul Wolfowitz, Michael Hayden, Gen. James Cartwright and William J. Lynnwrote: “We carry the burden of knowing that 9/11 might have been averted with the intelligence that existed at the time. We do not want to be in the same position again when ‘cyber 9/11’ hits — it is not a question of whether this will happen; it is a question of when.”
We must act before another catastrophe occurs.