Does a cyber-9/11 loom?

It should come as no surprise to anyone who follows the news in the U.S. that Congress hasn't moved on cybersecurity. Forces on both sides of the aisle watered down, and then eventually nixed, this summer's cybersecurity bill (also known as the Lieberman/Collins bill, sponsored by Senators Joe Lieberman, I-Conn. and Susan Collins, R-Maine). Sen. John McCain (R-Az.) and others proposed an alternative SECURE IT Act, which now languishes as Congress gears up for the November election.

For his part, President Barack Obama has been doing what he can to prepare the country for the possibility of an attack on our critical infrastructure. In July, he wrote an opinion piece in The Wall Street Journal calling for better exchange of information between government and industry in the event of a cyberattack.

It's also possible, in the likely event of Congressional inaction, that the President might issue an Executive Order calling for such information exchange. Such an order, however, comes with its own political risks, as some consider such a move to impinge on the purview of Congress. The end result of all this political maneuvering, therefore, may be little or no action by the U.S. government on cybersecurity, at least until sometime in 2013.

Parties United in Cybersecurity Bill Opposition

The obvious question is whether such legislation would simply be too little, too late. The unfortunate fact of the matter is that we are already in the midst of a cyberwar. Corporations as well as government agencies are under constant attack from a range of opponents, both economic and political. Furthermore, the 2010 Stuxnet attack on Iranian nuclear infrastructure and the more recent Gauss attack on the Lebanese banking system show that the U.S. (or parties aligned with U.S. interests, Israel in particular) are willing and able to take an offensive posture in this Cyberwar.

Analysis: Why Stuxnet is a Really Bad Weapon

The fact that the U.S. is willing to take such an offensive role raises the stakes for the defensive side of this battle. Not only do criminals continue to infiltrate our financial networks, as they have for years, but now we're courting retaliation from nations who might very well launch their own cyberattacks against us. Cyberwar is heating up-and instead of strengthening our defenses, Congress dawdles.

The appropriate course for Congress to take remains unclear, regardless of your political perspective. The right wing, in the form of the U.S. Chamber of Commerce, shot down the Lieberman/Collins bill, citing onerous regulation, an expansion of government and interference with the open market. But in a classic case of odd bedfellows, the left wing, in the person of Sen. Al Franken, D-Minn., also had issues with the cybersecurity bill, as it called for private industry and government to share potentially private information about US citizens, thus impinging on the civil rights of Americans.

As Franken eloquently puts it, "Once a company gives the government cyberthreat information, the government shouldn't be able to say, 'Hey, this email doesn't have a virus. But it does say that Michael is late on his taxes. I'm going to send that to the IRS.'"

News: Cybersecurity Report Stresses Need for Cooperation

Both sides present valid points. While appropriate, balanced regulation might be efficacious, and no one wants to see layers of expensive governmental bureaucracy or unnecessary interference with day-to-day commerce. No one wants to give up civil rights to improve security, either, especially when there's no guarantee we will truly become more secure for having made such a deal with the devil.

While Republicans intend for SECURE IT to address the flaws of the Lieberman/Collins cybersecurity bill, it's not clear whether the new bill will solve more problems than it causes. It goes out of its way to avoid introducing any new regulations that might be burdensome on the private sector and calls for no new regulatory authority-good for the private sector, perhaps, but at the risk of being toothless. As Sen. Ron Johnson (R-Wis.) puts it, "I have no faith that federal regulators should take the lead on cybersecurity. The regulatory process simply cannot keep up with the rapid pace of technology."

If federal regulators shouldn't take the lead on cybersecurity, then who should? The private sector-but only by voluntarily sharing classified information, not through regulation, the argument goes. Instead of relying on the government to address cyberthreats, SECURE IT lowers the liability that private sector companies would face, should they share information about potential threats with the government. This has the potential to lead to civil rights abuses, although the bill's sponsors promise that won't happen.

Cyber Villains Aren't Waiting

From the perspective of the technology industry, all this political bickering comes across as dangerously parochial. The Internet, after all, knows no geographic borders, and the bad guys are all too willing to take advantage of the nationalist tunnel vision that all countries exhibit, including the U.S. While the government bickers over whether the Department of Homeland Security or the Department of Defense should take the lead in cybersecurity, villains unknown are planning...well, we don't really know what they're planning, do we?

News: Government Alarm Over Cyberattacks Validated By Terrorists

By calling for greater protection for critical infrastructure such as power plants and water treatment plants via better communication between private industry and government, President Obama is doing all he can, given Congressional intransigence. Even if the President gets what he's asking for, though, there's still a serious concern that it won't be enough, since there's no way to know if an attacker is targeting the critical infrastructure on the President's list.

After all, there are many different types of potential attackers with many different possible motives. Whether they are cybercriminals interested in financial gain, countries such as Iran or China mounting cyberespionage attacks, intellectual property thieves focusing on industrial espionage, or terrorists interested more in wreaking havoc than on any particular target, no single line of defense is sufficient. Furthermore, a cyberattacker might be a country, a company, a decentralized group of hackers (potentially spanning several countries) or even a single individual.

Their potential targets are similarly varied. A single, high-value target such as a power plant may come under attack, but protecting such infrastructure is an obvious priority. The result is that such attacks are difficult to mount, and thus are likely to be relatively rare. Far more common are attacks of convenience. Just as a burglar will avoid houses with alarm signs and instead seek homes with overgrown lawns sporting piles of newspapers, cybercriminals don't really care whose money they steal. Most dangerous of all are the random terrorist attacks that are simply looking to cause mayhem.

Let's also avoid the mistake of assuming that all cybertargets are technology targets. Perhaps the most effective cyberattacks have psychological targets that outstrip the intrinsic technology value of the target. For example, an attacker may not be able to take down Hoover Dam, but what if he could hack the Mars Rover Curiosity? The result would be outrage dismay, and anger-which may in fact be the intended goal all along.

The most nefarious attack of all, however, is on the American way of life-or, to be less nationalistic, the way of life in any free country. This most dangerous attack need not even take place. If the mere threat of cyberattack causes us to reduce civil liberties for our citizens, we have lost something immensely precious. For any attackers seeking to target precisely those liberties that make free countries free, we risk Congress itself becoming their most powerful weapon.

Achieving an adequate level of cybersecurity while balancing business needs and civil liberties is therefore a complex, difficult challenge. We can only hope that our government-as well as other governments around the world-rise to the challenge in time. The alternative, we fear, is continued complacency until a single attack or cluster of attacks is so damaging, so traumatic that the entire world changes its perspective on the cyberwar in progress. Let's not forget the most valuable target for such a cyber-9/11 is our way of life itself.

Jason Bloomberg is the president of ZapThink, a Dovel Technologies company. Bloomberg focuses on enterprise architecture, SOA and cloud computing. Follow everything from on Twitter @CIOonline, on Facebook, and on Google +.

Read more about cybercrime in CIO's Cybercrime Drilldown.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jason Bloomberg

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts