August 02, 2012
Recovery After Cyber-Attack More Costly Than Prevention
Never before in the history of our nation has there been such an exponential growth in technology and innovation within the span of a generation. The Internet and its offshoots are now the foundation and backbone for our work, communications, commerce and entertainment.
The Internet is not impermeable. The proliferation of cyber-crime, as well as any prospect of excessive government surveillance, could weaken the public’s confidence in the use of the Internet for commerce and in their personal lives, which would be incredibly damaging to our economy and civil society.
Protection of the Internet is of great importance. It is imperative that our government work with industry and the public to strike the right balance between ensuring that our citizens are safe and secure from cyber-criminals and hackers, while also protecting and respecting their privacy. Congress must play a central role in assisting these stakeholders to strike that balance.
In homeland security policy, we know that prevention and protection is always less costly than response and recovery. It is better to set responsible standards for oil drilling than to clean up after a spill and far better to build a resilient society and educate our citizens on how to identify signs of violent extremism than to recover from a successful terrorist attack on our soil.
This is also the case with cybersecurity.
One of the biggest low-cost, high-impact areas where Congress can help improve cybersecurity is investments in training and educational initiatives. The government can develop and deploy sophisticated monitoring technology and build cybersecurity centers. However, it is equally important — and far less expensive — for the government to educate, inform and raise public awareness of online threats and proper security practices and protocols, called “cyber-hygiene.”
While heated debate on the Hill this year has focused more on controversial aspects of federal cybersecurity efforts, Congress must do more to spur investment in public education programs and bolster existing workforce training programs that are conducted by the Department of Homeland Security, Department of Commerce and others. Increased funding for these efforts, while less glamorous than high-tech cybersecurity initiatives, is a noncontroversial way to invest in our future and build a more security-conscious public.
While the government should adhere to the light-touch approach in working with the private sector and securing the Internet — an approach that has allowed the Internet to thrive as an engine of innovation and a safe haven for free speech — one area where Congress can help the private sector protect its networks is in information sharing.
Congress must pass legislation that would improve the flow of cyber-threat information from the government to businesses and relax legal restrictions while creating a safe space to permit businesses to share with one another as well. While the House recently passed legislation that would accomplish both, it also included language permitting too much sharing of information from business to the government, including military and intelligence agencies, which has justifiably concerned privacy and civil liberties advocates. It is critical that we strike the right balance, so that consumer confidence is not undermined by overreaching authority or invasion of privacy concerns.
In a recent United Technologies/National Journal poll, almost two-thirds of respondents said government and businesses should not be able to share information about consumers because of privacy concerns. Though information sharing is vital to improving the level of security on our networks, Congress needs to carefully craft legislation that will ensure consumers’ personal information is not jeopardized by any new framework.
Although the federal government’s role in private-sector cybersecurity should largely be limited to facilitating the flow of information and providing support when requested, there is one area of our private sector that requires special attention and a more proactive approach from the federal government: critical infrastructure.
Our nation’s critical infrastructure, most of which is privately owned, powers our homes and keeps water running. As Deputy National Security Adviser John Brennan noted, there has been a nearly fivefold increase from 2010 to 2011 in reported cyber-intrusions against networks controlling sensitive critical infrastructure, and some infrastructure owners have accepted risks that could endanger public safety. Experts fear that, in the near future, a virus similar to the notorious Stuxnet virus, which did serious damage to Iran’s nuclear program, could be turned against networks controlling our dams, electric power or pipelines and lead to disastrous consequences.
Government’s top responsibility is to protect our citizens, whether it is through setting standards, regulations or incentives. Congress must proactively address the cybersecurity of our nation’s critical infrastructure, with a plan for both protection and resilience.
Regrettably, important legislation that would accomplish this is stalled in the Senate, and the House has refused to take up critical infrastructure legislation of any kind. Unfortunately, the failure of Congress to take any meaningful action to protect critical infrastructure networks from crippling cyber-attacks may one day come back to haunt us all.
Rep. Yvette Clarke