US defense officials warn of the increasing threat of cyberattacks on the nation’s power grid, natural gas pipelines, and other strategic infrastructure, but what do the two political parties and their candidates know about these threats – and what will they do to thwart them?
The US could be hit with a "cyber Pearl Harbor," Defense Secretary Leon Panetta acknowledged in a June Senate hearing. Gen. Keith Alexander, who heads the Pentagon's new US Cyber Command, warned at a security conference in July that on a 1-to-10 scale, American readiness for a major cyberattack is “around a 3.”
Both political parties do recognize, at least, that such threats are quickly becoming a major new US national security problem for the 21st century – as warnings buried deep in their respective political platforms acknowledge.
The Democratic platform, on page 60, spends not quite 200 words on cybersecurity, with the GOP giving the topic twice as much space on pages 41-42. The Democratic script cites "unprecedented steps" taken by the Obama administration to defend America from cyberattacks, including creating the military's new Cyber Command.
By contrast, the Republican document chides the White House for an overreliance on "defensive capabilities" and talks of a crying need for government and business to do a better job of sharing threat information.
Raking over the platforms' statements for shreds of meaning, cyberexperts were alternatively impressed – and depressed.
Some of these experts were, for instance, reassured by the Republican Party's focus on developing US "offensive [cyberweapon] capabilities."
"For far too long, we have sat in the background hoping that our defenses hold up, while adversaries from China and the Eastern bloc steal American IP, and conduct cyber raids against our critical infrastructure," says Jonathan Pollet, founder of Red Tiger Security, a company that specializes in securing computerized control systems that open and close vital valves and switches in industrial settings.
"We are becoming weaker as a nation because of other nation state's aggressive stance on cyber security," he writes in an e-mail. "America must fight back to win, and the GOP statements show me that they actually understand current cyber issues."
Other experts, however, said Republican calls for more cyberoffense were hollow.
"The Obama administration, from the beginning, has implemented aggressive cyberwarfare deployments against Iran," writes John Michener, chief scientist at Casaba, a cybersecurity firm that works with Microsoft and others, in an e-mail interview. “The Democratic platform does not talk about this – and properly so. Cyberwarfare is typically very covert. Overt cyberwarfare is more likely to be responded to by more overt measures."
The Republican platform also says "we acknowledge that the most effective way of combating potential cybersecurity threats is sharing cyberthreat information between the government and industry, as well as protecting the free flow of information within the private sector." Several cybersecurity experts, however, say such calls have limits without mandates that require the capability to use the information.
"The information sharing that the Republican platform focuses on is a very minor issue," says Dale Peterson, CEO of Digital Bond, a control systems security firm in Sunrise, Fla. "There are plenty of vehicles in place for information sharing today, but organizations don't see any benefit in sharing.”
Robert Huber, co-founder of Critical Intelligence, an Idaho Falls-based expert in industrial control systems, says "information sharing between government and private entities appears beneficial on the surface; however, many private entities’ cybersecurity programs are not mature enough to ingest the information.... If your organization does not have the appropriate collection and logging systems in place, what are you going to do with this information?"
More telling, some said, was the Republican platform’s warning that a "costly and heavy-handed regulatory approach by the current Administration will increase the size and cost of the federal bureaucracy and harm innovation in cybersecurity."
That language is a direct echo of Congress's unwillingness to pass even weak, voluntary measures to strengthen cybersecurity for critical infrastructure. The House earlier this year passed an information-sharing-only bill. In the Senate, Republicans backed by the US Chamber of Commerce last month even blocked a bill that contained only watered-down voluntary standards for private infrastructure owners to meet.
"The Republicans basically replayed the Bush 2002 [anti-regulatory, voluntary] strategy, which was a complete flop," James Lewis, a cyberexpert with the Center for Strategic and International Studies, a Washington think tank, writes in an e-mail.
"There are some really smart people in the Romney campaign, so this is probably not the real policy, just a placeholder for the election, but designed to check the ideological boxes using a combination of advertising slogans and wishful thinking," Mr. Lewis adds. "I don't know if that means they couldn't agree internally and had to settle on the lowest common denominator or if they really believe that stuff about voluntary actions – some of them do, so I expect it was a mix of both motives."
But Democrats didn't fair much better as far as what they are asking for from industry, the experts said. The Democrat platform is basically "a mirror of the Senate bill that failed," writes Digital Bond's Mr. Peterson.
"In reality, the Department of Homeland Security has all the authority they need to make a difference," he writes. "The government has just refused to put out honest, detailed information about the problem and putting companies on record that they know about it and should fix it. This combined with the Securities and Exchange Commission disclosure requirements would put heat on C-level executives to fix the problem. No legislation is required for this."