SIX YEARS AGO, the federal government’s classified computer networks were infiltrated by a tiny bit of malware. A massive operation known as Buckshot Yankee was carried out to clean the networks of the intruder, and the event helped spur the creation of U.S. Cyber Command, which is now growing rapidly. The government has put cyberthreats at the top of its national security threat matrix.
But one of the debates that began then remains unresolved: How to protect large and vulnerable private-sector networks? Not all the answers can be found in government, but on actions that do require legislation, this session of Congress and the one before it have come to an impasse. It is time for the lame-duck session, or the new one convening in January, to take the bipartisan path forward that a number of legislators have laid out.
What seemed potentially worrisome a few years ago — the mushrooming threat of sneaky, self-directing malware — now appears almost commonplace, and more dangerous than ever. Home Depot has disclosed that criminals pierced the perimeter of the retailer’s network with a vendor’s user name and password, then hoisted themselves to a higher level in the network and deployed “unique, custom-built malware” to sit on the self-checkout systems in the United States and Canada. The malware was able to evade antivirus protection, in part because it had never been seen before. Data on some 56 million credit and debit cards, and files containing 53 million e-mail addresses, were compromised.
This is just one example. For many corporations, large costs are involved with each attack. Some of the worst credit card data thefts may be remedied by the planned rollout of chip-and-PIN technology, but in a larger sense, private networks in the United States remain vulnerable and under near-constant assault.
A few years ago the thinking was that the government, with sophisticated cybersecurity tools, could scout private networks and help identify and defend against the bad actors. But Congress could not swallow this aggressive approach, and it became even less palatable after the disclosures by contractor Edward Snowden that the National Security Agency was collecting telephone and Internet metadata from U.S. citizens.
Since then, a modest goal of cybersecurity legislation has been to facilitate information-sharing about threats between the government and private sector. The House and the Senate intelligence committee have each passed legislation that would, in essence, order the administration to set up a method for real-time sharing of cyberthreat information between federal agencies and private companies and clear away legal impediments to doing so. Both bills had bipartisan support. The House proposal was approved in April 2013, 288 to 127, with about half of the Democrats voting for it. The Senate committee vote, taken in secret last July, was 12 to 3.
While we share some of the concerns about privacy issues, they shouldn’t be allowed to hold up cybersecurity legislation. A new law won’t eradicate the threat but is better than the inaction of the past four years. Doing nothing means leaving the door open to those who intend to disrupt, steal and spy in cyberspace.
Other editorials in this occasional series are at wapo.st/beyondgridlock.
Read more about this topic: