'Loopholes' leave America with weak cybersecurity plan, experts say

A cybersecurity bill under consideration by Congress tries deal with private industry concerns, but its 'loopholes' would leave America open to cyberattack, experts said Thursday.

Mark J. Terrill/AP/File
In this September 2011 file photo, cybersecurity analysts work in the 'watch and warning center' during the first tour of the government's secretive cyber defense lab, in Idaho Falls, Idaho.

A bid to make new cybersecurity legislation more palatable to private industry runs the risk of opening large loopholes that hackers, terrorists, and enemy nations could exploit, computer-security experts told Congress Thursday.

The Cybersecurity Act of 2012 is almost finished, and Obama administration officials say it is urgently needed to defend porous computer networks that control key American industries from attacks that could cause mass casualties and hammer the economy.

But the bill would require federal oversight of some "critical infrastructure" – mostly controlled by private industry – and seven Republican senators are balking, saying the bill has not had enough review.

The bill’s difficult balancing act is in making sure that the 85 percent of the nation's "critical infrastructure" that is controlled by private companies is really secure without unduly interfering with private industry.

The need for some plan of action has been highlighted by reports of intrusions into systems controlling the US power grid, water systems, and US oil company networks by hackers. None are now subject to federal oversight to ensure they have adequately secure cyber networks.

The Cybersecurity Act of 2012 would seek to remedy that problem by:

  • Defining as "critical infrastructure" computer systems that – if disrupted by cyberattack – "would cause mass death, evacuation, or major damage to the economy, national security, or daily life." Such systems would be required to meet federally overseen security standards. Owners who think their systems were wrongly designated could appeal.
  • Requiring the Department of Homeland Security (DHS) to work with the owners of designated critical infrastructure systems to develop performance requirements. If a sector is secured, no new requirements would be developed or required.
  • Allowing owners of a covered system to determine how best to meet the new security requirements and then verify fulfillment of those requirements through a third-party assessor or even "self-certify" its own systems.
  • Requiring information-sharing between private sector and federal government agencies on threats and incidents, with an emphasis on civil liberties and privacy.

In an effort to smooth passage, the bill has already removed one provision that critics had claimed would have given the president a “kill switch” to essentially turn off the Internet.

But experts took a different view on the bill, telling the Senate Homeland Security and Governmental Affairs Committee that it is not strong enough. 

In particular, the bill contains "significant loopholes," said James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies.

First, by defining "critical infrastructure" as only those systems that if disrupted "would cause mass death" or "major damage to the economy, national security, or daily life" many, if not most, critical computer networks would not be covered.

That weakness could be targeted, he said.

"Cyberattacks in the next few years won’t cause mass casualties," he noted. "The threshold [is] too high, and we are simply telling attackers where they should hit."

The other section of the bill that concerned him is a near-blanket "carve-out" that would exempt commercial information-technology manufacturers and service providers from any federal oversight.

"It makes sense that industry does not want government telling them how to make products," Dr. Lewis noted. "But a blanket restriction on services, maintenance, installation, and repair, could … leave the door open for a Stuxnet-like attack against America."

Other cybersecurity experts at the hearing seconded Lewis's assessment on the bill.

"I fear that it has already been weakened unduly by those who want us to do nothing," Steward Baker, a former DHS and National Security Agency official told the committee.

"We do not expect General Motors to field its own antimissile defenses in the event of a nuclear attack," Mr. Baker said. "And we cannot expect private power or oil companies to stand alone against calculated attacks from the militaries of half a dozen nations."

While the bill does an admirable job developing a flexible framework that allows private industry to respond rapidly to threats identified by the federal government, it needs to go further, he said.

"Commercial information-technology products are certainly part of the problem," Baker noted. "Why shouldn’t they be part of the solution?"

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.