THE INTERNET security company Symantec revealed recently that a group of hackers known as Dragonfly infiltrated malware into legitimate software belonging to three manufacturers of industrial control systems — the stuff that controls factories and power grids. In one case, the contaminated control software was downloaded 250 times by unsuspecting users before the compromise was discovered.
This kind of cyberattack is not new, but it is audacious and dangerous. One of the first such assaults was the Stuxnet campaign, which had sabotage as its primary goal, against the Iranian nuclear program. By contrast, Dragonfly was a multi-pronged infiltrator, aimed at cyber-
espionage and gaining long-term access to computers, with sabotage as a future option, perhaps flicking off the electrical power to a city or shutting down a factory. Dragonfly probably was state-sponsored from somewhere in Eastern Europe.
Not alarmed? Then take a look at a proposal from the Securities Industry and Financial Markets Association. According to Bloomberg, Wall Street’s biggest trade group has suggested setting up a high-level U.S. government-industry council to deal with cyberthreats. What do they fear? Attacks that “destroy data and machines” and could lead to runs on financial institutions, loss of confidence in the banking system and “devastating” consequences for the economy. The group predicts attacks could result in “account balances and books and records being converted to zeros,” Bloomberg reported on July 8.
A torrent of cyberattacks — disruption, espionage, theft — is costing U.S. business and government billions of dollars. This is reality, not science fiction. In March, Chinese hackers broke into the U.S. government agency that houses the personal information of all federal employees.
For several years, it has been clear to many in government and the private sector that the nation needs to vastly improve protection of its private networks and that only government has the sophisticated tools to do that. But Congress has balked at legislation that would ease the necessary cooperation.
Thus it was encouraging to see the Senate Select Committee on Intelligence vote 12 to 3 last week to approve a cybersecurity bill that would begin to bridge the gap. Its prospects in the full Senate are uncertain. A similar bill passed the House last year.
Understandably, the legislation has triggered alarms about invasion of privacy. There are legitimate fears that the National Security Agency and U.S. Cyber Command will, in pursuit of cybersecurity, scoop up too much information about Americans. Certainly, the disclosures by former contractor Edward Snowden about how much the NSA vacuumed up in telephone and Internet data have undermined confidence in the government. But this supercharged privacy debate should not stand in the way of a good cybersecurity bill. Rather, it is a reason for Congress to build in workable and sufficient privacy protections and get on with passing legislation that is long overdue.