Cybersecurity overhaul needs sense of urgency
The dialogue on cybersecurity has come a long way in the past few years. The news is awash with stories of theft of personal financial information, silent but effective espionage against our defense establishment and the potential effect of attacks against our pervasively networked critical infrastructure. However, the time for simply talking about solutions is quickly running out.
Despite numerous proposals to enact the comprehensive reforms we need, we have failed to make our laws and practices relevant to our 21st century economy because of a missing sense of urgency and a lack of understanding of the role cybersecurity plays in our daily lives.
Too often, policymakers still view the security of our networks as a niche area that narrowly affects our society. That misleading perspective gets communicated to the public, leaving most in the dark on the extent to which their personal information, and in some cases their safety, is vulnerable.
We rely on the Internet to send personal files and sensitive government information as well as to monitor bank accounts and our electric grid. Yet security is not a priority for personal users, it is not a priority for many corporations and it is not even a priority for some in government. And it’s costing us.
A 2010 study found the average price tag of a business data breach to be $7.2 million, and the intellectual property losses are staggering, with information stolen on a daily basis by our competitors for economic and military advantage.
As top cyber expert Jim Lewis noted: The U.S. spent $368 billion on research and development [in 2010], but cyber espionage lets others get the results for free.
Because it’s all happening in the digital realm, there is little public outrage.
Among our critical infrastructure, we lack even simple security measures for many of the systems that control our electric grid, water and sewage plants, and financial and telecommunications systems.
Yet we know of computer viruses, such as the now-infamous Stuxnet, that could devastate parts of these industries, resulting in enormous costs, borne largely by the taxpayer.
In November, we saw confusion about security at an Illinois water plant, and an FBI official said three cities’ utilities were recently compromised. None of this should be surprising. The types of industrial systems controlling our utilities were built in a non-networked world and designed for reliability, not security.
With acquisition cycles that take decades, companies leave little budgetary or operational room for security improvements. The reluctance to make upgrades has demonstrated that private owners and operators of our critical infrastructure don’t take this threat seriously enough.
Remedies for our cybersecurity challenges are well known. The Center for Strategic and International Studies commission that I co-chaired in 2008 to make recommendations for the incoming president spelled out many solutions, but we need the political will to make them reality.
To better protect critical infrastructure, the Department of Homeland Security and regulators must develop new public-private partnerships, relying on incentives to improve security when possible but regulation when necessary. Government can work with each industry to determine best practices and issue standards and guidance, with consequences for those that do not comply.
These relationships should be backed up with the coordination of our top cyber experts across government, including at the National Security Agency.
Finally, this entire effort needs to be balanced with a strong privacy framework that is responsive and accountable to the Congress and, most importantly, to the American people.
Vulnerabilities in one industry or government can have repercussions in unrelated fields involving companies or agencies with which they do not traditionally have partnerships.
Legislative proposals exist to break down barriers and encourage information sharing. They would streamline the government’s classification process to ease communication about new threats to the private sector and establish a system that allows business to make threats known to government while ensuring that privacy remains a top concern.
While our awareness of cyber threats is increasing, technology continues to outpace our efforts to protect our networks. Automated tools are lowering the bar for cyber mischief as advanced hackers get more creative every day.
I am pleased that Senate Majority Leader Harry Reid (D-Nev.) recently committed to bringing up cyber legislation early this year, but we will make progress only if the issue receives the prominence it deserves and our leaders speak with one voice in recognizing the true extent of its effect on our economy and safety.
Our citizens are already suffering the consequences of inaction. Time is up. We know what needs to be done; all that’s left is to make it happen.
Rep. James Langevin (D-R.I.) is co-founder of the Congressional Cybersecurity Caucus and ranking member of the Armed Services Subcommittee on Emerging Threats and Capabilities.