Skip to: Content
Skip to: Site Navigation
Skip to: Search


'Loopholes' leave America with weak cybersecurity plan, experts say

A cybersecurity bill under consideration by Congress tries deal with private industry concerns, but its 'loopholes' would leave America open to cyberattack, experts said Thursday.

By Staff writer / February 16, 2012

In this September 2011 file photo, cybersecurity analysts work in the 'watch and warning center' during the first tour of the government's secretive cyber defense lab, in Idaho Falls, Idaho.

Mark J. Terrill/AP/File

Enlarge

A bid to make new cybersecurity legislation more palatable to private industry runs the risk of opening large loopholes that hackers, terrorists, and enemy nations could exploit, computer-security experts told Congress Thursday.

Skip to next paragraph

The Cybersecurity Act of 2012 is almost finished, and Obama administration officials say it is urgently needed to defend porous computer networks that control key American industries from attacks that could cause mass casualties and hammer the economy.

But the bill would require federal oversight of some "critical infrastructure" – mostly controlled by private industry – and seven Republican senators are balking, saying the bill has not had enough review.

The bill’s difficult balancing act is in making sure that the 85 percent of the nation's "critical infrastructure" that is controlled by private companies is really secure without unduly interfering with private industry.

The need for some plan of action has been highlighted by reports of intrusions into systems controlling the US power grid, water systems, and US oil company networks by hackers. None are now subject to federal oversight to ensure they have adequately secure cyber networks.

The Cybersecurity Act of 2012 would seek to remedy that problem by:

  • Defining as "critical infrastructure" computer systems that – if disrupted by cyberattack – "would cause mass death, evacuation, or major damage to the economy, national security, or daily life." Such systems would be required to meet federally overseen security standards. Owners who think their systems were wrongly designated could appeal.
  • Requiring the Department of Homeland Security (DHS) to work with the owners of designated critical infrastructure systems to develop performance requirements. If a sector is secured, no new requirements would be developed or required.
  • Allowing owners of a covered system to determine how best to meet the new security requirements and then verify fulfillment of those requirements through a third-party assessor or even "self-certify" its own systems.
  • Requiring information-sharing between private sector and federal government agencies on threats and incidents, with an emphasis on civil liberties and privacy.

In an effort to smooth passage, the bill has already removed one provision that critics had claimed would have given the president a “kill switch” to essentially turn off the Internet.

But experts took a different view on the bill, telling the Senate Homeland Security and Governmental Affairs Committee that it is not strong enough. 

Permissions

Read Comments

View reader comments | Comment on this story

  • Weekly review of global news and ideas
  • Balanced, insightful and trustworthy
  • Subscribe in print or digital

Special Offer

 

Doing Good

 

What happens when ordinary people decide to pay it forward? Extraordinary change...

Danny Bent poses at the starting line of the Boston Marathon in Hopkinton, Mass.

After the Boston Marathon bombings, Danny Bent took on a cross-country challenge

The athlete-adventurer co-founded a relay run called One Run for Boston that started in Los Angeles and ended at the marathon finish line to raise funds for victims.

 
 
Become a fan! Follow us! Google+ YouTube See our feeds!