By Senator Susan Collins
(R-Maine)
The Internet was born in October 1969, and for the first half of its life was just a tiny hamlet of academic and government computers networked in a way that made it easy for researchers to share their work—a digital Mayberry where people left their doors unlocked because there were few strangers to fear.
But this small-town architecture that remains the core of the Internet’s foundation is cracking under the demands placed on it as it has grown into a global megalopolis that touches almost every part of our daily lives.
We use it for entertainment, communications, banking, commerce and to control the systems that open and close the valves and switches in our critical infrastructure, like power plants, energy pipelines and our financial, transportation and water and sewer systems.
Today, the Internet is under constant attack on all fronts. National Security Agency Director General Keith Alexander blamed cyber attacks for the “greatest transfer of wealth in history” estimating that U.S. companies lose about $250 billion a year through intellectual property theft, $114 billion to theft through cyber crime and another $224 billion in down time the thefts caused.
“This is our future disappearing before us,” he said.
If this kind of economic loss isn’t enough to motivate us to pass strong cyber-security legislation, to better defend the cyber systems we all depend on, consider this:
A recent story in The Washington Post detailed how a young man living an ocean away from us was able to use his computer to hack into the control panel of a small-town water utility in Texas. It took him just 10 minutes and required no special tools or training. And the utility had no idea of what had happened until the hacker posted screen shots of his exploit online as a warning of how vulnerable we all are.
The bipartisan “Cybersecurity Act of 2012,” which I have introduced with my Senate colleagues Joe Lieberman (I/D-Conn.), Jay Rockefeller (D-W.V.), Dianne Feinstein (D-Calif.), and Tom Carper (D-Del.), seeks to strengthen our computer networks’ security with a combination of information sharing and the establishment of outcome-based security performance standards.
Our most critical infrastructure, that which if damaged could cause deaths and economic and environmental disasters, should voluntarily abide by consensus cyber-security practices.
Information sharing will allow private sector network owners to share threat information among themselves and a civilian entity of the federal government, and, in turn, the federal government will be able to share threat information it discovers with the private sector and together defend our country.
Our bill includes strong privacy protections to safeguard civil liberties and requires strict oversight to ensure compliance with these provisions.
When it comes to our most critical infrastructure, information sharing is not enough, however. We must encourage our critical infrastructure to adopt security standards voluntarily.
Let’s use that Texas water utility that was hacked as an example. The owners had no idea their system was connected to the Internet, so information sharing wouldn’t have helped: they had no idea they were at risk in the first place and weren’t looking for information.
Under our bill, these standards would be developed cooperatively with the private-sector owners and operators of critical infrastructure. No single solution will be imposed on anyone, nor will any specific technology or technique be required. All will be free to innovate as they adopt performance goals.
And this need not be expensive—and can be a lot less costly than the consequences of a breach. A recent report by Verizon, the Secret Service and other international law enforcement agencies analyzed 855 data breaches in 2011 and found that 96 percent were not difficult to pull off and 97 percent could have been prevented through fairly simple and inexpensive means.
Using the Texas example again, the hacker was able get onto the control board because the utility had never changed the three-digit password installed by the factory—and that was easy to find in technical manuals available on the Internet.
Six of our nation’s most experienced Republican and Democratic national security leaders have endorsed our approach.
In a letter to the Majority and Minority Senate Leaders, former Homeland Security Secretary Michael Chertoff; former Director of National Intelligence Admiral Michael McConnell; former Deputy Defense Secretary Paul Wolfowitz; former NSA and CIA Director Michael Hayden; former vice chairman of the Joint Chiefs of Staff Marine General James Cartwright; and former Deputy Defense Secretary William J. Lynn wrote:
“Infrastructure that controls our electricity, water and sewer, nuclear plants, communications backbone, energy pipelines and financial networks must be required to meet appropriate cyber-security standards.
“We carry the burden of knowing that 9/11 might have been averted with the intelligence that existed at the time. We do not want to be in the same position again when ‘cyber 9/11’ hits. It is not a question of whether this will happen; it is a question of when.”
Many more of our nation’s top security officials, including Secretary of Defense Leon Panetta, the FBI Director Robert Mueller and the Chairman of the Joint Chiefs of Staff General Martin Dempsey have issued similar warnings.
The threat board is blinking red. Congress needs to act now before a cyber 9/11 happens.
A well stated and emotionally compelling bipartisan appeal. Who does not want to be safe? If we do suffer an attack, then not having the Cybersecurity Act of 2012 in place will be used in the same way that gun control advocates call for more “common sense” gun regulation after every mass shooting event.
The problem is that we have become conditioned to not trust our government to limit its control and protect privacy, nor to restrain itself from explosion in size. Five years after enactment, we might expect to see 14 regional offices, staffed with 16,000 new employees with unrestrained enthusiasm supported by 70,000 pages of newly promulgated regulation. All the offices will have hiring quotas geared to achieving social justice and be located in government designated areas of minority disadvantaged condition.
We might all be able to support legislation that facilitates exchange of threat data and an opportunity for “buy-in” from those who are competent to contribution to data sharing. Allowing government to become the cyber-cop is not in keeping with American tradition of value and problem solving.
I think that there is a pattern in that many times when these emotionlly driven “Acts” that are advertised as a means of increasing and insuring safety and security, by further limiting and intruding into my rights and freedoms, are authored and sponsored by the same names.
I don’t feel that the safety nor the security, that Senator Collins and not so honorable Senate colleaques are purchasing with my liberties, is intended for me and mine, nor in our interest.
No thank you, Senator Collins and not so honorable Senate colleaques.
We need more control from our government in our lives because the government wants to keep us safer onlIne now? It is my responsibility to upgrade my I.T. security. It is my responsibility to run my computer safety checks. I block unsafe sites, report spam and clean my computer deleting cookies daily. It is also my responsibility to lock my own door at night and check my windows. Each new law or regulation costs the overburdened taxpayer and consumer. Since the hacking and fraud is an issue to Washington, how many times have some of the agencies listed in your letter been hacked into? Does someone forget to check the locks on those doors or is it time for people to be responsible for themselves providing for independent and responsible thinking? Respectfully, Bootsie Burton