Senior Obama administration officials walked some 50 U.S. senators through a cyberattack scenario Wednesday evening to press for pending legislation that would give the Department of Homeland Security authority to force critical industries to better protect their systems.
The scenario: a computer attack on the electricity grid in New York City during a summer heat wave.
Using PowerPoint graphics, officials explained that the attack is launched by a software virus inserted into the system when an unsuspecting power company employee clicks on an infected attachment in an e-mail — a technique known as “spear phishing.”
The virus spreads unchecked through the system, causing power outages and blackouts. The effects, officials said, could cascade. People living on the upper floors of high-rises could lose water. They might not be able to withdraw cash from ATMs, which no longer work.
“What we were doing in general was walking the senators through how these things that seemingly are unrelated are connected,” DHS Secretary Janet Napolitano said in an interview Thursday.
But legislation pending in the Senate would help avert such attacks, administration officials argued.
Under the bill co-sponsored by Sens. Joseph I. Lieberman (I-Conn.), Susan Collins (R-Maine), John D. Rockefeller IV (D-W.Va.), and Dianne Feinstein (D-Calif.), the power companies “would have performance standards that could have prevented the spear phishing attack,” Napolitano said. The standards would cover only companies providing services that, if disrupted, would lead to mass casualties or other catastrophic consequences.
She said a company hit in a significant attack would be required to report the incident and information that would help prevent further attacks, including possibly a copy of the malicious software. The idea, she said, is not only to help mitigate the crisis, but to identify other critical companies that might be hit.
Rockefeller, the Senate Commerce Committee chairman, said the briefing “illustrated just how dangerous inaction on cybersecurity legislation can be.”
But one congressional staffer who observed the exercise called it a “scripted event” that was “tailored to show why one particular legislative proposal was needed.”
The administration’s full-court press in part reflects the fact the bill faces resistance. Besides Napolitano, participating officials included John O. Brennan, assistant to the president for homeland security; Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff; FBI Director Robert S. Mueller III; and National Security Agency Director Keith Alexander.
Opposition to the bill comes from some industry groups that say it is too burdensome on business. Meanwhile, some national security experts say the bill does not go far enough to mandate that certain industries be covered.
A competing bill was introduced last week by a group of Republican senators, including John McCain (Ariz.) and Kay Bailey Hutchison (Tex.). It also promotes the exchange of threat data between the private sector and the government but does not require any company — critical or otherwise — to turn over malware evidence to the government.
“We take a non-regulatory approach,” said a Senate GOP aide.