U.S. Sen. Susan Collins had strong words for the Senate’s failure to take action on a bill recently that would have set voluntary standards to help prevent cyber attacks.
“Rarely have I been so disappointed in the Senate’s failure to come to grips with a threat to our country,” said Collins, a sponsor of the bill and a ranking member on the homeland security committee.
We agree. The nation is utterly dependent on its Internet-based systems and must update its laws to reflect reality. It should not take a massive cyber attack to a nuclear plant or a train system to finally persuade Congress to agree on protective measures. The number of attacks against critical infrastructure reported to the Department of Homeland Security increased by 383 percent between 2010 and 2011.
Hackers have targeted the networks of companies operating natural-gas pipelines, in addition to computer systems in the nuclear and chemical industries, President Barack Obama wrote in a Wall Street Journal opinion piece July 19. A water plant in Texas had to disconnect its control system from the Internet when it learned a hacker posted pictures of the facility’s controls.
The threat is a real one. What would happen to the economy if a hacker accessed the country’s banking systems or electric utilities’ controls? The Cybersecurity Act would have required both the private sector and the government to share information about cyber threats and encouraged entities that own or operate critical infrastructure to meet minimum standards.
It would have authorized risk assessments of critical infrastructure in order to gauge the level of catastrophic damage possible. And it would have sought and incorporated private sector expertise through groups such as the Critical Infrastructure Partnership Advisory Council.
But instead of addressing the problem, the Senate failed to reach the 60-vote threshold required to end debate. Instead of listening to intelligence and defense leaders — from both Republican and Democratic administrations — it bowed to business interests, even though many businesses have already acknowledged the problem and improved their digital defenses independently.
The U.S. Chamber of Commerce, other business groups and a number of Republicans, including John McCain of Arizona, opposed the bill, arguing that the legislation would be too burdensome for companies. They continued to oppose it even when Sen. Joe Lieberman, I-Conn., agreed to water it down and make the security standards optional.
The Chamber’s chief lobbyist, Bruce Josten, wrote to senators that the bill “could actually impede U.S. cyber security by shifting businesses’ resources away from implementing robust and effective security measures and toward meeting government mandates.”
Others argued that government should not have the power to make decisions regarding the digital defenses of private infrastructure companies — that the companies are better able to protect themselves.
The arguments are bogus. Clearly not all companies are protecting themselves, and this is a matter of national security. The legislation would have been to their own benefit.
When Defense Secretary Leon Panetta says the threat of a cyber attack keeps him up at night, and former National Security Agency director Mike McConnell warns that the U.S. is not ready to deter a major attack, there are larger things to worry about than whether it will be too burdensome for businesses to give the federal government the cyber data they already routinely gather.
The Republican senators in opposition didn’t even listen to Keith Alexander, director of the NSA, who urged the Senate to pass the bipartisan cybersecurity legislation. If they don’t heed the advice of one of the nation’s premier experts on the issue (he’s also commander of the United States Cyber Command), then perhaps they weren’t paying attention to the facts?
Sharing information about cyber attacks and filling security gaps are basic ways to help prepare for inevitable threats. Congress learned too late how security could be improved after 9/11. Now the country knows what the threat is and is failing to act. We call that willful ignorance.