The Senate and Cybersecurity: Finding a Path Forward
Will the Senate pass a cybersecurity bill? That’s the major question looming this week as the time for congressional action in 2012 shrinks. While the House of Representatives passed a package of cybersecurity bills with bipartisan support, Senators seem to be struggling to find their own bipartisan agreement that can win the support of at least 60 members – the key threshold to pass just about any important Senate bill these days.
A number of Senate options are being hammered out, from the initial Lieberman-Collins bill, to the revamped SECURE IT Act offered by Senators Hutchison and McCain, to the latest entry – the Whitehouse-Kyl proposal. Senator Lieberman reportedly is considering wrapping pieces of Whitehouse-Kyl into his bill before it gets to the floor. Each proposal has good elements, but none, to date, has garnered the support necessary to win Senate approval.
ITI and our member companies have met repeatedly during the past few months with Senators and their staffs, working to shape an enhanced cybersecurity structure for the United States that will best protect individuals and the country alike. We believe the heart of any updated approach should be a smart, strong information sharing system that is adaptable to meet constantly changing dangers. We’ve been pleased with the response from Senators to our ideas, and look forward to continuing discussions as the proposals move to the full Senate for debate and votes.
Given the effort to reach agreement, we thought it a good time to step back and reinforce the core principles that the tech sector believes should be included in any cyber proposal. The tech sector outlined these guideposts last year, and just recently, ITI, DIGITALEUROPE, and the Japan Electronics and Information Technology Industries Association (JEITA) joined together on a similar set of international cyber principles. Both of these documents focus on core issues of collaboration, interoperability, and proactive protections that focus on building awareness and sharing information.
We believe that efforts to improve U.S. cybersecurity must:
- Leverage public-private partnerships and build upon existing initiatives and resource commitments;
- Be able to adapt rapidly to emerging threats, technologies, and business;
- Properly reflect the borderless, interconnected, and global nature of today’s cyber environment;
- Be based on risk management;
- Focus on awareness; and
- More directly focus on bad actors and their threats.
These priorities get to the heart of what cybersecurity really is, namely, personal security. Personal information – names, addresses, Social Security numbers, credit card info, and so on – represent 95 percent of all the data compromised by cyber intrusion. Criminals then use the data for identity theft, phishing campaigns, and other fraud. New breeds of cybercriminals, hacktivists, and rogue nations have become adept at exploiting the vulnerabilities of our digital world, placing consumer information as well as private and government data and proprietary systems at risk. This includes critical infrastructure
In the United States, 85 percent of critical infrastructure is owned and operated by private industry. A significant portion of that infrastructure traditionally had never been connected to the Internet. Rather, it existed in a closed “air gap” structure -- a protected world in which only a handful of people had access and that usually required getting through physical security parameters. Removed from the Internet, these stand-alone systems very easily stymied would-be cyber intruders because there was no way to reach these systems remotely. But today, many operators have connected critical infrastructure systems to the Internet to gain some key benefits, such as remote management or increased functionality.
A good example is the Smart Grid, which allows electricity companies and their consumers to better understand and manage electricity consumption online. But these benefits also have brought trade-offs. Now, instead of a handful of people with access to these systems, in theory the billions of computer users online could access them with the right know-how. That puts a new priority on the cyber protections that we collectively dedicate to these potential targets.
In this world, with so much critical infrastructure connected to – and even dependent upon – the Internet, we need to make sure that critical infrastructure operators understand the threats they face, the responsibilities they carry, and the opportunities that they have to work in collaboration with other sectors and the government to improve the cybersecurity and resiliency of these critical infrastructures.
Congress can pass legislation to help operators better understand and address these threats without relying on a heavy-handed, regulatory approach. Such regulation could create siloed, bureaucratic structures, putting cyber defenses at a disadvantage because the various groups responsible for security would have limited coordination and be too slow. One group may be watching for events, but not have complete information on digital assets being targeted. Moreover, cyber intrusions and other incidents in today’s environment often come from multiple points and, while they are IT-based, they can combine technical tactics with social engineering or even physical access to a facility. Security teams cannot rely on regulators to accurately interpret and respond to multi-modal intrusions. They need to be able to identify a threat and counter it quickly – not after government forms are filled out and approved in triplicate.