John O. Brennan is President Obama’s senior adviser on counterterrorism and homeland security.
Before the end of the next business day, companies in every sector of our economy will be subjected to another relentless barrage of cyberintrusions. Intellectual property and designs for new products will be stolen. Personal information on U.S. citizens will be accessed. Defense contractors’ sensitive research and weapons data could be compromised.
While it’s impossible to put a monetary value on the impact of these daily intrusions, it’s undeniable that cybertheft is costing U.S. jobs and undermining our economic competitiveness in the global economy.
As serious as these intrusions are, they are only the tip of the iceberg.
Our critical infrastructure — power plants, refineries, transportation systems and water treatment centers — depend on the integrity and security of their computer networks. Approximately 85 percent of this infrastructure is owned and operated by the private sector. Last year alone, there were nearly 200 known attempted or successful cyberintrusions of the control systems that run these facilities, a nearly fivefold increase from 2010. And while most companies take proper precautions, some have unfortunately opted to accept risks that, if exploited, would endanger public safety and national security.
The consequences of a successful attack against our critical infrastructure would be enormous. A sophisticated cyberattack on our power grid could cause disruptions on par with the Northeast Blackout of 2003, which brought thousands of businesses to a halt and cost our nation more than $6 billion. The disruption of police, fire and other emergency services, as we’ve seen during destructive hurricanes, would endanger the lives of countless Americans.
And the cyberthreat is growing; our intelligence community estimates that other nations and transnational organizations could soon acquire the capability to disrupt or damage vital elements of our critical infrastructure. FBI Director Robert Mueller warned last month that “in the not too distant future, we anticipate that the cyberthreat will pose the number-one threat to our country.”
A decade ago, the Sept. 11 attacks exploited vulnerabilities that had been left unaddressed for too long. Today, we know what our cybervulnerabilities are and what threats we face. The only question is whether we’re going to address them in time.
That’s why, as President Obama said in his State of the Union address, we need Congress to swiftly pass legislation to address this threat. Building on the administration’s proposal from last year, the bipartisan Cybersecurity Act of 2012 would give the federal government new authority to share information about cyberthreats with businesses and, if asked, offer these companies assistance in preventing intrusions and attacks.
This legislation also seeks to ensure that our nation’s most vital critical infrastructure assets are properly protected by setting minimum cybersecurity performance standards that companies who work on or operate such infrastructure would be required to meet. Industry and the Department of Homeland Security would work together to develop these standards based on known risks to specific sectors and companies. Some in Congress and some business leaders have opposed such mandatory measures, arguing that it is enough for government and industry to share more information about cyberthreats. I respectfully but strongly disagree. A voluntary system of cybersecurity compliance by critical infrastructure companies is a risk that the American people cannot afford to take.
The Cybersecurity Act of 2012, proposed by Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine), Jay Rockefeller (D-W.Va.) and Dianne Feinstein (D-Calif.), is measured, reasonable and essential to our nation’s security and future prosperity. It also safeguards the personal information and privacy rights of U.S. citizens. It is premised on close coordination and consultation between government and industry, and it allows for flexible solutions to mitigate risk. Many companies and sectors of our critical infrastructure that are already defending their networks with strong cybersecurity measures will not be required to do anything more. Others who are currently falling short, however, will be directed to tighten up their cybersecurity practices. Exactly how they would do so — for example, behind a firewall or a stand-alone network — would be up to the company.
For decades, industry and government have worked together to protect the physical security of critical assets that reside in private hands, from airports and seaports to national broadcast systems and nuclear power plants. There is no reason we cannot work together in the same way to protect the cybersystems of our critical infrastructure upon which so much of our economic well-being, our national security and our daily lives depend.
The chairmen of the 9/11 commission, Tom Kean and Lee Hamilton, have urged the Senate leadership to act. “It is paramount,” they said recently, “that the federal government take the steps necessary to prepare the nation to prevent and mitigate the effects of potentially catastrophic cyber attacks on the nation’s critical infrastructure.” We ignore that warning at our peril.