Ex-DHS, DoD Heads Call for Cybersec LawMaking the Case for Regs on Critical Infrastructure Owners
A group of former top federal government security and defense officials is calling on the Senate to pass significant cybersecurity reform legislation sooner rather than later.
See Also: 7 Steps to Incorporate Monitoring in Your Compliance Program
"The window of opportunity to pass legislation ... critically necessary to protect our national and economic security is quickly disappearing," the former officials wrote to Senate Majority Leader Harry Reid and Minority Leader Mitch McConnell in a letter dated June 6. The letter was signed by former Homeland Security Director Michael Chertoff, former National Security Agency directors Michael McConnell and Michael Hayden, former Deputy Defense Secretaries Paul Wolfowitz and William Lynn III, and James Cartwright, former vice chairman of the Joint Chiefs of Staff.
The letter notes that various draft bills seek to protect the nation's critical IT infrastructure, with legislation backed by Sens. Joseph Lieberman, ID-Conn., and Susan Collins, R-Maine [Senators Unveil Major Cybersecurity Bill], receiving the most traction.
The former officials say they aren't endorsing any specific approach to securing critical infrastructure, but suggest provisions found in the Lieberman-Collins bill come closer to their thinking than does other legislation, such as a measure from Sen. John McCain, R-Ariz., which doesn't provide for any regulation on the mostly private owners of the critical infrastructure (see: Vanishing Bipartisanship over Cybersecurity). They write:
"We will not advocate one approach over another; however, we do feel strongly that critical infrastructure protection needs to be addressed in any cybersecurity legislation."
But these former officials, most of whom served in the George W. Bush administration, make it clear that regulating industry could be appropriate:
"Infrastructure that controls our electricity, water and sewer, nuclear plants, communications backbone, energy pipelines and financial networks must be required to meet appropriation cybersecurity standards. Where market forces and existing regulations have failed to drive appropriate security, we believe that our government must do what it can to ensure the protection of our critical infrastructure."
That statement jibes with the approach taken by Lieberman and Collins as well as the Obama White House (watch video, Cybersecurity Coordinator: It's Not an All or Nothing Package).
The former leaders also see a role for the NSA in helping safeguard the nation's critical IT systems, a position that makes some civil libertarians and privacy advocates jittery because of the perceived notion of the e-spy agency's snooping on American citizens. The leaders wrote:
"A piece of malware sent from Asia to the United States could take as little as 30 milliseconds to traverse such distance. Preventing and defending against such attacks requires the ability to respond to them in real-time. NSA is the only agency dedicated to breaking the codes and understanding the capabilities and intentions of potential enemies, even before they hit 'send.'"
U.S. Public Split on Cybersecurity Threats
The general public doesn't see the potential cyberthreats as dire as do these leaders, according to a just-released poll by the Washington Post. The nation is nearly evenly split on whether a major cyberattack could cripple computer systems of U.S. businesses and government. The respondents - 1,004 randomly selected individuals, including 740 Internet, landline and cell phone-only users - also were evenly split on the preparedness of business and government to handle cyberattacks.
What does the public have to say about having the government impose standards? According to the poll, 39 percent would require standards; 28 percent would encourage standards; 26 percent would have government stay out of it and 7 percent expressed no opinion.
Respondents also were split on supporting legislation that would allow exchange of information between government and business to prevent a cyberattack vs. those who think such a bill would go too far in invading personal privacy rights.
Despite the willingness of the public to accept some form of regulation, and the call from these former leaders who worked in a Republican administration, getting beyond a potential GOP Senate filibuster of a cybersecurity bill that includes any form of imposed regulations seems to be a high barrier to clear.