In an op-ed piece today (July 20) entitled “Taking the Cybersecurity Threat Seriously,” President Obama invokes images of derailed trains carrying industrial chemicals creating toxic clouds and water treatment plants with contaminated drinking water – all caused by “hackers…[that] inserted malicious software into the computer networks of private-sector companies.” These cataclysmic events (the result of a simulated National Level Exercise) are intended to drive home the point that we are under cyberattack and, therefore, “Congress must pass comprehensive cybersecurity legislation” to strengthen the defensive posture of our nation. In particular, the President advocates the passage of the Cybersecurity Act of 2012 (“CSA”) (i.e., the Lieberman bill).
Obama says that his administration “has made cybersecurity a priority” and that we now need to take measures that will allow the “government to share threat information.” He says information sharing is not enough and that “[t]he American people deserve to know” that companies involved with critical infrastructure meet minimum security standards. All of this while protecting privacy and civil liberties.
In his own op-ed, Obama observes that “no one has managed to seriously damage or disrupt our critical infrastructure networks.” We are deluged, however, with very current and very real reports of successful attacks on our private sector networks (including by nation states) that are resulting in significant losses of intellectual property and personal information. Indeed, General Alexander, the Commander of USCYBERCOM, has stated that “the theft of IP [due to cyber attack] is astounding” and what others have described as “the greatest transfer of wealth in history.” While I agree with the President that cybersecurity needs to be made a priority, we need to achieve this in such a way that addresses all threats.
The approach advocated by President Obama (including the administration’s legislative proposal) is a good start and an important component of what needs to be a comprehensive approach to cybersecurity. We need to strike a balance, though, that includes incenting all stakeholders to voluntarily increase their cyber protection.
As we’ve reported previously, the CSA emphasizes protection of “Covered Critical Infrastructure” (“CCI”) and requires any entity involved with CCI to comply with certain to-be-specified cybersecurity requirements. It also contains provisions addressing DHS authorities, education and workforce development, R&D, and other related topics. Critics point out, however, that its mandatory requirements, almost immediate obsolescence, and need for additional authorities, among other things, make it unpopular with business. Instead, many of those critics advocate for the SECURE IT Act of 2012, which calls for a voluntary information sharing regime that would apply to all entities and is focused on sharing of cyber threat information, with liability protection for those who participate. Perhaps the ongoing efforts of Senators Whitehouse and Kyl will produce a compromise that will satisfy most, if not all, stakeholders. One thing on which everyone can agree, though, is that we are running out of time and, as President Obama observes, we must “take action now and stay a step ahead of our adversaries.”