Cybersecurity Bill: Vital Need Or Just More Rules?
Consider what Hurricane Katrina did to New Orleans, and you get an idea of the consequences of a cyberattack on critical U.S. infrastructure: No electricity. No water. No transportation. Terrorists or enemy adversaries with computer skills could conceivably take down a power grid, a nuclear station, a water treatment center or a chemical manufacturing plant.
The prospect of such a paralyzing strike has convinced U.S. security officials and members of Congress that a new law may be needed to promote improved cyberdefenses at critical facilities around the country. Progress on that legislation, however, has been slowed by a debate over whether new cybersecurity measures should be mandated or merely encouraged.
The proposal that has received the most attention, sponsored by Sens. Joe Lieberman, I-Conn., Susan Collins, R-Maine, and others, would require owners and operators of critical infrastructure assets to notify the Department of Homeland Security of any and all cyber intrusions into their operating systems. Currently, such reporting is strictly voluntary, and security experts say only a fraction of the incidents come to the government's attention.
The Lieberman-Collins initiative would also establish baseline cybersecurity standards that all companies in an industrial sector would be required to meet. The legislation, however, has run into stiff opposition from private firms, the Chamber of Commerce and from members of Congress who view it as heavy-handed.
"Unelected bureaucrats at the [Department of Homeland Security] could promulgate prescriptive regulations on American businesses," charges Sen. John McCain, R-Ariz., the co-author of an alternative cybersecurity bill that favors voluntary information sharing between the government and private industry.
Advocates of mandatory cybersecurity standards, however, say the owners and operators of critical assets have consistently underestimated their vulnerability to cyberattacks and therefore are unlikely on their own to take the steps necessary to bolster their own defenses, particularly if they cost money.
Many operators, for example, do not realize their industrial controls may be accessible via the Internet.
Awareness Of Weaknesses
Such was the conclusion of Sean McGurk, who visited hundreds of power stations, water-treatment facilities and other critical assets as director of the National Cybersecurity and Communications Integration Center at the Department of Homeland Security.
"In every case, we were told that the systems were completely isolated from the enterprise network or the Internet, that there were no direct connections," McGurk recalls. "And in no case has that ever been true. In hundreds of vulnerability assessments, we've always found connections between the equipment on the manufacturing floor and the outside world."
The operating equipment probably lacked online links when designed and installed, but modernization and automation in subsequent years have introduced network connections of which the operators may be unaware. Such connections offer a doorway through which cyberattackers can penetrate an industrial system.
DHS cybersecurity experts such as McGurk (who has since left the government) have so far been handicapped in addressing infrastructure vulnerabilities because nearly 90 percent of the installations are in private hands.
Awareness of those vulnerabilities varies widely among the owners and operators of infrastructure assets, and some are openly skeptical of the need for expensive new security measures.
"There's been an awful lot written about cybersecurity and the threat of it," said Robert Johnston, president and CEO of MEAG Power in Atlanta. "There are a lot of people who want to spend a huge amount of money on something that we have not necessarily identified."
Johnston made his comments last fall in an interview with Energybiz, a business journal.
"Show me an event where we've lost systems due to cyberterrorism," he said. "I'm not aware of one."
'A Window Of Opportunity'
Security experts argue, however, that the example of the attacks of Sept. 11, 2001, shows that preparations for a terrorist attack must be made ahead of time.
"If terrorist groups were able to acquire these destructive cyber capabilities, I think we should fear greatly that they would use them," says William Lynn, until recently the deputy U.S. secretary of defense. "The capabilities are not yet in the hands of the most malicious actors, so we have a window of opportunity to improve our defenses.
"We don't know exactly how long that window of opportunity is, but I think we should feel a strong need to improve our defenses before that happens."
The debate over whether to establish compulsory or voluntary cybersecurity standards has led to competing legislative proposals on Capitol Hill. Rep. James Langevin, D-R.I., for example, is pushing to increase the authority of the Federal Energy Regulatory Commission to monitor cybersecurity in the U.S. power grid.
At present, FERC only has the power to approve or reject proposals initiated by power companies.
"I'd like to see that change," Langevin says, "so that when you have actionable intelligence that suggests a vulnerability exists and needs to be closed, FERC as the regulating entity has the authority to do that."
McCain and other Republican lawmakers have vigorously opposed such changes, saying industry is already overregulated and that new restrictions would hurt business.
"The regulations [under consideration] would stymie job creation, blur the definition of private property rights, and divert resources from actual cybersecurity to compliance with government mandates," McCain argued during a recent congressional hearing on proposed legislation.
Profits Over Public Safety?
Langevin and others have countered that private owners and operators may need to be forced to improve their cybersecurity for the general good.
"I would assess that the owners and operators of critical infrastructure have employed a minimum level of security because employing more robust cybersecurity would cost money and affect the bottom line," Langevin says. "They're putting profits ahead of public safety, in my opinion."
The wrangling over cybersecurity, however, is not strictly partisan. Among the advocates of tough, compulsory measures are several former Bush administration officials, including Michael Chertoff, a former secretary of Homeland Security, and Michael McConnell, a former director of National Intelligence, as well as FBI Director Robert Mueller, who has served under both Presidents Obama and Bush.
McConnell is especially dismissive of the argument that the mandatory cybersecurity measures being proposed would be anti-business.
"You got the same argument with virtually everything from seat belts to safety devices in electrical equipment," he says. "If you're out competing, and the competition is tough, you don't want to add any cost to your process, so your natural response to any regulatory talk is, 'It's more burden, and it's not worth it, and it would put me at a competitive disadvantage.' "
Though McConnell calls himself "a free-market advocate," he argues that more government regulation is sometimes needed, including in the cyber domain.
"This threat is so intrusive, it's so serious," he says. "If we don't address it, it's going to have a severe impact. I think we have no choice but to address it, and some of that process will be regulatory."
Still, some compromise will be necessary if new cybersecurity legislation is to be approved, and any final bill will undoubtedly promote some kind of government-industry partnership.
McGurk, who is now in private business helping firms address their cybersecurity problems, says such cooperative efforts are essential.
"With very limited exceptions, the skills necessary to secure water companies and power companies and chemical companies and nuclear facilities are nowhere available in the federal government," he says. "They reside in the private sector, with the asset owners and operators."
STEVE INSKEEP, HOST:
American companies may soon face new pressure to guard themselves against cyber attacks. The Senate will soon consider cybersecurity legislation. Lawmakers are asking how to protect our power plants, our water supply, the transportation grid, and other facilities on which our lives depend. It turns out that computer criminals could conceivably hack into those systems and shut them down with disastrous consequences. But the question is whether the owners of those facilities should be required by law to improve their defenses.
NPR's Tom Gjelten is here with us this morning to talk about this. Hi, Tom.
TOM GJELTEN, BYLINE: Good morning, Steve.
INSKEEP: OK. So, what would it be like if hackers were to shut down one of those systems I just described, like the power grid?
GJELTEN: Think Hurricane Katrina. That's a good analogy. No electricity, no communication, no safe water, no transportation. And like a hurricane, you're hit without warning, no time to prepare. It would be a disaster.
INSKEEP: And you don't realize how much you need these things until you would lose them. But what's the scenario under which somebody would actually do that?
GJELTEN: Well, it could happen during an all-out cyber war. Or it could be an act of cyber terrorism. Now, right now a cyber war is hard to imagine. I talked about this with Bill Lynn, who until recently was the number two at the Pentagon. He's one of the people who has thought the most about these issues. He says a cyber war attack on the U.S. right now is no more likely than a missile attack, because any country that would do something like that knows it would be hit right back. The greater danger, he says, would come from terrorist groups, they're harder to deter.
BILL LYNN: If terrorist groups were able to acquire these destructive cyber capabilities, I think we should fear greatly that they would use them, because there's nothing to hold them back.
GJELTEN: Now in Lynn's view, there are terrorist groups that would love to carry out an attack like this right now, but he doesn't think they have the capability to do it yet.
LYNN: So we have an opportunity, we have a window of opportunity, to improve our defenses. We don't know exactly how long that window of opportunity is, but I think we should feel a strong need to improve our defenses before that happens.
GJELTEN: And that's the situation. And, Steve, defenses have to be improved, because the companies that operate power plants and water systems right now are not that well prepared to cope with a cyber attack.
INSKEEP: Why would they not be more than a decade after 9/11?
GJELTEN: Well, Steve, remember that computer hackers generally work through the Internet - not always, but generally. As long as the equipment operating these facilities was isolated from the Internet, they were somewhat protected from hackers. But as these systems have been modernized, inevitably there are points where they have some online link. And each of those points is a doorway through which cyber attackers can sneak into the system.
Sean McGurk used to go out and do what he calls vulnerability assessments of these facilities for the Department of Homeland Security. Over and over, he says, the operators told him their plants were not connected to the Internet.
SEAN MCGURK: And as I testified before Congress, in no case had that ever been true. In hundreds of vulnerability assessments, we've always found connections between the equipment on the manufacturing floor and the outside world.
INSKEEP: Former Homeland Security expert there who spoke with NPR's Tom Gjelten, who is in our studios. And, Tom, what he's telling you there is that even the companies themselves do not realize how vulnerable they are.
GJELTEN: Right. And, Steve, remember about 90 percent of these institutions are privately owned. They're outside the government's direct control. And if the owners don't think they're vulnerable to cyber attack, they're less likely to spend the money to bolster their cyber defenses. That's why some folks say legislation is needed, basically, to require them to do certain things.
INSKEEP: To require them to spend the money, because they don't think in their assessment that the risk is worth the cost.
GJELTEN: Let me give you an example. This is the CEO of a power company in Georgia who was interviewed about cybersecurity concerns. Let me read you what he said. These are his words.
(Reading) There's been an awful lot written about cybersecurity and the threat of it. There are a lot of people who want to spend a huge amount of money on something that we have not necessarily identified. Show me an event, he says, where we've lost systems due to cyber terrorism. I'm not aware of one.
Now that's just one CEO. But he illustrates this reluctance to adopt expensive new cybersecurity measures. And it's because of attitudes like that that there's a move in Congress now to boost awareness of cybersecurity problems.
INSKEEP: More than one piece of legislation, if I'm not mistaken. So, what are the key differences, the key approaches, the different approaches to this?
GJELTEN: Mostly it comes down to whether you require companies to improve their cybersecurity or just encourage them. The most prominent bill is sponsored by Senators Joe Lieberman of Connecticut, Susan Collins of Maine, and others. It would require companies to notify the Department of Homeland Security, DHS, of any and all intrusions into their networks.
As of now, they don't have to tell anyone when they've been attacked. It would also establish baseline cybersecurity standards that all companies in a particular sector would be required to meet. But it has run into some strong opposition.
SENATOR JOHN MCCAIN: Unelected bureaucrats at the DHS could promulgate prescriptive regulations on American businesses.
GJELTEN: This is Senator John McCain of Arizona.
MCCAIN: The regulations that would be created under this new authority would stymie job creation, blur the definition of private property rights, and divert resources from actual cybersecurity to compliance with government mandates.
GJELTEN: Senator McCain is reading from a statement there. He has a separate cybersecurity bill that promotes voluntary measures over requirements.
You also have people like Congressman James Langevin of Rhode Island, who has sponsored legislation on the House side similar to the Lieberman-Collins bill. Here's his take on why some companies oppose these requirements to improve their cybersecurity.
REPRESENTATIVE JAMES LANGEVIN: I would assess that the owners and operators of critical infrastructure have employed a minimum level of security because employing more robust cybersecurity would cost money and affect the bottom line. So they're putting profits ahead of public safety, in my opinion.
GJELTEN: It's important to recognize however, that this debate is not playing out on partisan lines. Among the strongest advocates of tough cybersecurity regulations are some national security types who served in the last Bush administration.
Michael Chertoff, the former Secretary of homeland Security, and Michael McConnell, the director of national intelligence under President Bush. McConnell says he's normally a fierce free market advocate, but he says more government regulation is sometimes needed. In this case, the need to improve our cyber-defenses warrants it.
MICHAEL MCCONNELL: This threat is so intrusive, it's so serious, it could literally suck the life's blood out of this country. And if we don't address it, it's going to be a severe impact. And so, I think we have no choice but to address it. And some of that process will be regulatory.
GJELTEN: Regulatory. So, McConnell is on the side favoring a mandatory approach.
INSKEEP: Of course all of this is being considered by the Senate, where things do not necessarily move quickly. What kind of legislation could realistically emerge in the coming weeks?
GJELTEN: Well, there's going to be some compromise between Republican and Democratic proposals. Even the advocates of strict oversight of critical infrastructure recognize there's only so much government can do in this area. The Department of Homeland Security can demand that companies improve their cybersecurity, but it's the companies themselves that know best what measures can be taken and how to take them. They're the ones with the expertise.
So no matter which cybersecurity bill gets passed, our critical infrastructure won't be protected against cyber attack unless the government and private industry find a way to work together.
INSKEEP: Tom, thanks very much.
GJELTEN: Thank you, Steve.
INSKEEP: NPR's Tom Gjelten covers national security issues.
(SOUNDBITE OF MUSIC)
INSKEEP: It's NPR News.
It's MORNING EDITION. Transcript provided by NPR, Copyright National Public Radio.