It should come as no surprise to anyone who follows the news in the U.S. that Congress hasn't moved on cybersecurity. Forces on both sides of the aisle watered down, and then eventually nixed, this summer's cybersecurity bill (also known as the Lieberman/Collins bill, sponsored by Senators Joe Lieberman, I-Conn. and Susan Collins, R-Maine). Sen. John McCain (R-Az.) and others proposed an alternative SECURE IT Act, which now languishes as Congress gears up for the November election.
For his part, President Barack Obama has been doing what he can to prepare the country for the possibility of an attack on our critical infrastructure. In July, he wrote an opinion piece in The Wall Street Journal calling for better exchange of information between government and industry in the event of a cyberattack.
It's also possible, in the likely event of Congressional inaction, that the President might issue an Executive Order calling for such information exchange. Such an order, however, comes with its own political risks, as some consider such a move to impinge on the purview of Congress. The end result of all this political maneuvering, therefore, may be little or no action by the U.S. government on cybersecurity, at least until sometime in 2013.
Parties United in Cybersecurity Bill Opposition
The obvious question is whether such legislation would simply be too little, too late. The unfortunate fact of the matter is that we are already in the midst of a cyberwar. Corporations as well as government agencies are under constant attack from a range of opponents, both economic and political. Furthermore, the 2010 Stuxnet attack on Iranian nuclear infrastructure and the more recent Gauss attack on the Lebanese banking system show that the U.S. (or parties aligned with U.S. interests, Israel in particular) are willing and able to take an offensive posture in this Cyberwar.
Analysis: Why Stuxnet is a Really Bad Weapon
The fact that the U.S. is willing to take such an offensive role raises the stakes for the defensive side of this battle. Not only do criminals continue to infiltrate our financial networks, as they have for years, but now we're courting retaliation from nations who might very well launch their own cyberattacks against us. Cyberwar is heating up-and instead of strengthening our defenses, Congress dawdles.
The appropriate course for Congress to take remains unclear, regardless of your political perspective. The right wing, in the form of the U.S. Chamber of Commerce, shot down the Lieberman/Collins bill, citing onerous regulation, an expansion of government and interference with the open market. But in a classic case of odd bedfellows, the left wing, in the person of Sen. Al Franken, D-Minn., also had issues with the cybersecurity bill, as it called for private industry and government to share potentially private information about US citizens, thus impinging on the civil rights of Americans.
As Franken eloquently puts it, "Once a company gives the government cyberthreat information, the government shouldn't be able to say, 'Hey, this email doesn't have a virus. But it does say that Michael is late on his taxes. I'm going to send that to the IRS.'"
News: Cybersecurity Report Stresses Need for Cooperation
Both sides present valid points. While appropriate, balanced regulation might be efficacious, and no one wants to see layers of expensive governmental bureaucracy or unnecessary interference with day-to-day commerce. No one wants to give up civil rights to improve security, either, especially when there's no guarantee we will truly become more secure for having made such a deal with the devil.
While Republicans intend for SECURE IT to address the flaws of the Lieberman/Collins cybersecurity bill, it's not clear whether the new bill will solve more problems than it causes. It goes out of its way to avoid introducing any new regulations that might be burdensome on the private sector and calls for no new regulatory authority-good for the private sector, perhaps, but at the risk of being toothless. As Sen. Ron Johnson (R-Wis.) puts it, "I have no faith that federal regulators should take the lead on cybersecurity. The regulatory process simply cannot keep up with the rapid pace of technology."
If federal regulators shouldn't take the lead on cybersecurity, then who should? The private sector-but only by voluntarily sharing classified information, not through regulation, the argument goes. Instead of relying on the government to address cyberthreats, SECURE IT lowers the liability that private sector companies would face, should they share information about potential threats with the government. This has the potential to lead to civil rights abuses, although the bill's sponsors promise that won't happen.
Cyber Villains Aren't Waiting
From the perspective of the technology industry, all this political bickering comes across as dangerously parochial. The Internet, after all, knows no geographic borders, and the bad guys are all too willing to take advantage of the nationalist tunnel vision that all countries exhibit, including the U.S. While the government bickers over whether the Department of Homeland Security or the Department of Defense should take the lead in cybersecurity, villains unknown are planning...well, we don't really know what they're planning, do we?
News: Government Alarm Over Cyberattacks Validated By Terrorists
By calling for greater protection for critical infrastructure such as power plants and water treatment plants via better communication between private industry and government, President Obama is doing all he can, given Congressional intransigence. Even if the President gets what he's asking for, though, there's still a serious concern that it won't be enough, since there's no way to know if an attacker is targeting the critical infrastructure on the President's list.
After all, there are many different types of potential attackers with many different possible motives. Whether they are cybercriminals interested in financial gain, countries such as Iran or China mounting cyberespionage attacks, intellectual property thieves focusing on industrial espionage, or terrorists interested more in wreaking havoc than on any particular target, no single line of defense is sufficient. Furthermore, a cyberattacker might be a country, a company, a decentralized group of hackers (potentially spanning several countries) or even a single individual.
Their potential targets are similarly varied. A single, high-value target such as a power plant may come under attack, but protecting such infrastructure is an obvious priority. The result is that such attacks are difficult to mount, and thus are likely to be relatively rare. Far more common are attacks of convenience. Just as a burglar will avoid houses with alarm signs and instead seek homes with overgrown lawns sporting piles of newspapers, cybercriminals don't really care whose money they steal. Most dangerous of all are the random terrorist attacks that are simply looking to cause mayhem.
Let's also avoid the mistake of assuming that all cybertargets are technology targets. Perhaps the most effective cyberattacks have psychological targets that outstrip the intrinsic technology value of the target. For example, an attacker may not be able to take down Hoover Dam, but what if he could hack the Mars Rover Curiosity? The result would be outrage dismay, and anger-which may in fact be the intended goal all along.
The most nefarious attack of all, however, is on the American way of life-or, to be less nationalistic, the way of life in any free country. This most dangerous attack need not even take place. If the mere threat of cyberattack causes us to reduce civil liberties for our citizens, we have lost something immensely precious. For any attackers seeking to target precisely those liberties that make free countries free, we risk Congress itself becoming their most powerful weapon.
Achieving an adequate level of cybersecurity while balancing business needs and civil liberties is therefore a complex, difficult challenge. We can only hope that our government-as well as other governments around the world-rise to the challenge in time. The alternative, we fear, is continued complacency until a single attack or cluster of attacks is so damaging, so traumatic that the entire world changes its perspective on the cyberwar in progress. Let's not forget the most valuable target for such a cyber-9/11 is our way of life itself.
Jason Bloomberg is the president of ZapThink, a Dovel Technologies company. Bloomberg focuses on enterprise architecture, SOA and cloud computing. Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google +.
Read more about cybercrime in CIO's Cybercrime Drilldown.