Will it Take a ‘Cyber Pearl Harbor’ to Break Congressional Deadlock?

Even in the face of what most experts label as a potential “Cyber Pearl Harbor” threat, Washington’s partisan divide carried the day on Capitol Hill yesterday, stalling the Cybersecurity Act of 2012 with a Senate vote of 51-47 against the legislation.

The result drew a quick response from the staff of Secretary of Defense Leon Panetta:  “The U.S. defense strategy calls for greater investments in cybersecurity measures, and we will continue to explore ways to defend the nation against cyber threats,” DoD spokesman George Little said. “New legislation would have enhanced those efforts. If the Congress neglects to address this security problem urgently, the consequences could be devastating.”

The gridlock that prevented the measure from moving forward can be tied to the same themes that have kept Congress from taking action on anything, including solving the issues that will keep the nation from going over the “fiscal cliff.”  The White House focused it’s influence on the Senate rather than the House, and Senate Republicans chose to view the legislation not as a national security concern but as a “more proof that Democrats want government in everything” concern.  (What party came up with the Patriot Act, by the way?)

Senate Republicans were unflinching in their dislike of the bill as written.  “[The Senate bill] would have created a new bureaucracy that would have slowed down the process and forced companies to focus on compliance with new government mandates that would not insure better and faster notifications of cyber threats,” Kay Bailey Hutchison of Texas, the top Republican on the Senate Commerce Committee who also is retiring, said in an e-mail to Bloomberg Businessweek.

Meanwhile the issue is also complicated by the fact that companies are left to do the calculus around whether it would be more cost effective —  absent liability laws around cyber attacks — to invest in the hardware, software, and manpower required to effectively prevent cyber attack or to simply weather the attack and fix what breaks afterwards.

History might have to repeat itself — albeit this time with new technology — in that it might take a catastrophic cyber invasion to solve the arguments.

  • Max

    Normally, I side with the Republicans, but on this issue, I disagree. I’m taking a computer security class at college, and I can tell you that if private businesses don’t invest in the defenses necessary to defend themselves, they put the entire country at risk; especially those companies that operate critical infrastructure like power plants (especially nuclear), chemical plants, railroads, etc etc. This is definitely a national security threat that we cannot ignore. If private companies don’t want to do it themselves, then the government must step in and make it happen somehow, through regulation, financial/tax incentives or something.

  • tom

    And the American taxpayer continues to foot the bill for Panetta flying home to California on a USAF jet every single weekend to be with his wife. I can’t believe we allow wasteful spending like this!

  • tee

    As someone in the business for over 20+ years, “Be-careful of What You Wish For”. The Government can’t run the Post Office or any other Entity Successfully and you want them to have “Total Control of the Internet” ??? Not a Very Smart Idea.

  • Speedy

    Side A: We stop this bill from being approved for our own reasons.
    Side B: You will allow to happen, then we will blame you.
    happens
    Side A: Blames Side B for not doing anything about
    before it happened.
    Side B: Does not seem to point out Side A caused the problem.

    Rinse, Repeat… and repeat…

  • ChrisM

    Partisan? I’d call it bi-partisan gridlock. About as many republicans voted for it, as democrats voted against it. http://votesmart.org/bill/votes/41248#.UKXDzGt5mS

    5 republicans voted for it, two abstained. 4 democrats voted against.

    • Max

      Well, 5 out of 45 Republicans, and 4 out of 51-ish Democrats, doesn’t sound very “bi” to me. To me, this should not be a partisan issue, it’s a threat against the entire nation. Again, I’m not concerned about the small businesses; I’m concerned about the critical infrastructure firms. I think we all should be. my 2 cents

  • SFC C+11

    DoD should not be IN CHARGE of the NATIONS INFRASTRUTURE. Let the Power Companies, Transportation, Aviation, Wall Street, Contractors, and the Government controll their own internet. They can make their own lines secure. They can hire the people needed to secure their internet connections, OR all of the afore mentioned should create their own NET.
    DoD has enough to secure, 5 branches, and their own Communications assets to worry about.
    The BIG Companies and the rest NEED “GUIDLINES” FROM CONGRESS to get the ball rolling. Make the darn guidlines and be done with it. SECURE THE INFRASTRUCTURE BEFORE IT IS TOO LATE!!

  • Rational Rob

    Classified Networks are not secure because as long as a human being isn’t being actively monitored, there is always the potential for loss of data.

    Look at Private Manning.

  • Tad

    Without knowing all the details of the bill, it’s very hard to decide whether the Republicans are just being pig-headed, or if perhaps they just feel the bill needs to be better-written. I suppose it’s better to slow down, read the legislation, understand its implications, than to have a knee-jerk reaction and pass poor legislation. Let’s hope that’s the situation here.

  • dubweiser101

    One thing we can all agree on is that the USA does depend on war to inject revenue into its economy and to shift political focus when convenient. History has spoken…

    When, where, and how is anyone’s guess. Unless you happen to be a member of that tight circle of planners in the proverbial smoky room.

  • Max

    I think a lot of lawmakers, not to mention most of the population, is really clueless when it comes to really understanding the danger of hackers and the power of groups with the backing of a national government like China or Russia with huge resources and the ability to hire the most brilliant and educated minds available to focus their attention on one thing: take out infrastructure, put back doors in, steal information, etc in ways that average hackers couldn’t hope to match.

    Just because someone knows how to use a web browser or read email doesn’t mean they know anything at all about computer security issues. I suspect that much of the Republican opposition to this kind of legislation is based on sheer ignorance fo these things, and they are relying on the old tried-and-true approach that “anything that’s bad for business is bad for America.” The title of this newspiece is apt, because it just might take a Pearl-harbor-like disaster that knocks out electrical power for most of the country for a couple of weeks or more to get their attention. It’s bound to happen sooner or later. The US has already done similar things to Iran with their centrifuges with the Stuxnet virus. That virus has now been reverse-engineered and is being used already.

  • John

    >>> What party came up with the Patriot Act, by the way?)

    I’ll take this opportunity to thank the Democrats for repealing the Patriot Act the moment they had control of the House, the Senate and the WH.

    What’s that you say? They never repealed it, they expanded it? And now Obama has granted himself the power to assassinate US citizens without trial?

    And hey, where did all the war protests go?

  • The_Hand

    A few comments:

    I’m not up to speed on the details of the Cybersecurity Act but I assure you something like it is absolutely necessary. I’m reading some comments here along the lines of “private industry can make their own lines secure”, which I think has been utterly disproven over the past fifteen years. Industry has to be dragged, kicking and screaming, toward more secure networks. The only reason networks are more secure today is because of regulations like HIPAA and PCI.

    As for air gapping “critical” networks, that’s basically what the Cybersecurity Act is trying to accomplish to the degree that it’s actually feasible. You can’t unhook all the financial servers from the internet and expect business to continue, and even if you did they still wouldn’t be automagically secure. Iran’s centrifuges weren’t hooked up to the internet either. It is possible, using a combination of encryption, tunneling, virtualization, and endpoint security, to enclave critical assets while allowing network connectivity. But these solutions have to be carefully architected, and they cost money, so it’ll never happen without government encouragement.

  • Brett

    State sponsored cyber criminals steal the very technologies and intellectual properties that both our country and private sector enterprises spend billions to develop. Adversarial nations bring themselves eye-to-eye with the U.S. by investing trivial amounts of money into hacking efforts. Advanced persistent threats sit in wait on the inside of our criticial infrastructure networks to be kicked off when the time is right and to continue to passively sponge up proprietary and secret information. The government alone is not the solution, but should implement a joint public-private consortium to fight and defeat these virtual threat vectors. The government cannot scale to the levels required to govern private sector information security. It should use a combination of incentives and requirements as the path to secure private sector systems. For example, providing tax incentives to those companies that meet security certification and accreditation standards could serve as a return on investment incentive, that when paired with competitive differentiator, could entice enterprises to invest in security. Without a justification, many private sector enterprises will continue to focus on keeping the lights on operationally and not so much securely.

  • R L Vitt

    As just a regular guy with internet access, I wouldn’t let the government have any control at all over the internet. I they want to have secure DOD computers run them on a separate network. But, I’m not willing to give government the power to shut down internet usage in the name of security. China and Iran as well as many other country’s have that power. I’m not willing to let our government have any say at all over our system.

  • blight_
  • squiddy

    South Carolina’s breach was caused by a phishing attack, and lack of two-factor authentication in their Citrix Remote Access service.

    This is hardly a new attack vector – the average high-school kid could pull it off. And one that would be easily prevented by any kind of proper security regime. Office networks with email and web access must *never* be on the same networks, or use the same credentials, as sensitive data – they must be isolated. And two-factor authentication of some form *must* be used for any kind of remote access.

    But this isn’t just South Carolina’s problem, the same thing occurs all over the place, including financial houses. How many U.S. banks offer on-line banking? Now how many of those offer two-factor authentication?

    The situation is actually pretty desperate, our economy and our infrastructure is far more vulnerable than anyone will admit.

  • secgauntlet

    I have been and Information Security Professional for over 32 years now. Yes, before most of you all new we had networks and classified processing. I have work for the DOD, DOT, DOE and FAA. I am VERY distressed about the government not stepping up to the plate on increasing the ability of our critical infrastructure entities to protect themselves. We spend billions on new research of weapons systems (laser tech, new bomb, new rifles, etc.), billions on air craft that are so advanced that our pilots can’t fly them without a computer and most of all we still have an inverted (for the most part) perimeter within the military, DOD and our Intelligence agencies. Too many chiefs and not enough Indians (pardon the pun but it fits very well). I also agree with some here that do not encourage the Government to lead this effort. Especially any military branch. Their DOD’s job is to fight combat wars on the ground and air. The Internet is just not the space or communications for the type of C4I structure to be effective. It take many, many Indians and very cleaver underground types who’s criminal record may not allow them to enter the service and carry a gun but in our world, the world of Cyberspace is for people who not NOT play by the rule book. With politics and rules, one will NEVER play in this obscure space and time. This is a space of truly UNCONVENTIONAL warfare. Since 1999, PDD-63 has directed critical critical infrastructure to plan and implement defensive measures for each of these critical entities (Transportation, Water, Electric, etc). BUT almost none have performed any real efforts to protect themselves despite this document being a Presidential Directive. IF they had 9/11 well may NEVER have happened (only speculation on my part). A special entity should be formed outside the Intelligence and DOD community and be allow to do what they need to be done to protect these entities, at a MINIMUM from Cyber events. Proactive and Offensive measure need to be take immediately against other nations such as China, Russia, Africa, to name a few who believe they can hack, social engineer and threaten our way of life though the use of the Internet. It is time the US takes and Offensive Posture on the Cyber warfare front and start kicking some butts. “Control the money and you control a country. Control access to the Internet and you Control everything about a Country, people, commerce, money, and their way of life”.