Congress must confront the growing cyber threat at home
The Internet has revolutionized the American way of life, from communication to commerce. However, with the rewards of digital connectivity have come great risks to our critical infrastructure.
Complex entities such as gas lines, power grids and water, energy and transportation systems are vital to our economy, and therefore the threats against them threaten our national security. While virtual communication increases their capabilities, it also has increased their vulnerability to hackers, criminals and nation states looking to steal or dismantle our technology.
The cyber threat is real and immediate. FBI Director Robert Mueller noted the severity of the threat when addressing IT security professionals last year. He said “terrorism does remain the FBI’s top priority, but in the not too-distant future we anticipate that the cyber threat will pose the greatest threat to our country.”
This statement is quickly proving true. According to the National Security Agency, from 2009 to 2011 cyberattacks on American infrastructure companies increased 17-fold. Additionally, the Department of Homeland Security (DHS) recently reported that between December 2011 and June 2012, cyber criminals targeted 23 gas pipeline companies and stole information that could be used to disrupt or damage their networks. And in December 2012, two power plants in the U.S. were attacked with sophisticated malware that reached critical networks.
Recently, cyber incidents in the U.S. have continued to escalate — hackers from Iran have targeted our major banks, and Chinese hackers have hit major U.S newspapers, technology companies and government agencies.
Many of these attacks have been attempts at cyber espionage or disruption of services, but increasingly cyberattacks are aiming to disable or destroy infrastructure. It is not a far-off reality that a virtual cyberattack could lead to real-world destruction such as a pipeline explosion, an extended disruption in electricity or a shutdown of our transportation systems. Just this month, a group called the “al Qaeda Electronic Army” released a video threatening cyberattacks on America’s “vital sectors.”
Industry has been fighting these cyber battles for years, and each sector has developed its own cybersecurity best practices, but they need the government’s help to coordinate and bolster our nation’s cyber defenses.
The information and means to thwart attacks are there, but are not systematically shared between operators of critical infrastructure or between the private and public sectors. This makes us all vulnerable.
The key to addressing these cracks in our cyber defenses lies with bridging the gap between government and industry. The DHS and outside stakeholders already have laid a strong foundation for a collaborative public-private cybersecurity partnership. Recognizing the need to share best practices and threat information, the department has been facilitating communications between the 16 sectors of critical infrastructure.
Specifically, each critical infrastructure sector has an Information Sharing and Analysis Center (ISAC), where sector-specific cyber threat information is aggregated by industry. Each ISAC is invited to participate in the DHS’s National Cybersecurity and Communications Integration Center (NCCIC). Here, all federal departments and agencies, state and local governments and international entities join the private sector at the table.
The NCCIC serves as a centralized location for the sharing of cyber threat information to coordinate the protection, prevention, mitigation and recovery activities for significant cyber incidents. Not only has this proved to be very effective, it should serve as a model for what should happen on a larger scale. Homeland Security can and should serve as a nerve center for coordinating and disseminating information in coordinated partnership with other agencies.
The Obama administration has made some progress in encouraging public-private partnerships, but Congress must bolster these efforts by securing industry and government buy-in for sharing information in real time. This is the only way to make sure we can see and stop attacks.
While we work together to safeguard our homeland, we must also safeguard our citizens’ civil liberties and privacy and make sure we do not impede the expansion of commerce and trade. The DHS’s privacy standards and policies make it a good agency to handle this responsibility.
After hearing from members of industry, government and privacy advocates, I am confident we can pass new legislation that complements current House efforts, such as the Cyber Intelligence Sharing and Protection Act, that will enable us to prevent cyberattacks. In the coming weeks, I will introduce a bill based off these discussions that streamlines and bolsters the cybersecurity processes that have been established at Homeland Security, without creating new government programs or new costs to the taxpayers.
The threat of a devastating cyberattack on the U.S. from criminals, terrorists and other nation states grows with every passing day. We cannot wait any longer to ensure the cybersecurity of our nation.
McCaul is the Chairman of the House Committee on Homeland Security.