McCaul Op-Ed: Hardening Our Defenses Against Cyberwarfare (Wall Street Journal)
Wall Street Journal — By Michael McCaul
Before the devastating attacks of Sept. 11, 2001, it was difficult for most Americans to fathom such a tragedy on U.S. soil. It later became clear that we had not seen the warning signs. Today, advances in technology that connect utilities, industries and information in real time have changed the nature of the threats facing the nation. Digital networks could be used as a conduit to gas lines, power grids and transportation systems to silently deliver a devastating cyberattack to the U.S.
Nation states that mean America harm are sponsoring cyber espionage and are targeting the fastest route to the country's most sensitive information and critical infrastructure: wireless networks. Cyberwarfare is no longer an abstract threat to the homeland—it is happening now. Last year, an al Qaeda operative called for "electronic jihad" against the U.S. and compared the country's technological vulnerabilities to those in American security before 9/11.
A common military tactic by which an attacker attempts to disable or weaken a target before an invasion is referred to as "prepping the battlefield." Digital warfare is one way that foreign nation states disable critical infrastructure to make it vulnerable to conventional assaults. Stephen Flynn of Northeastern University, testifying last year before the House Committee on Homeland Security, described the cascading effect:
"When transformers fail, so too will water distribution, waste management, transportation, communications and many emergency and government services," Dr. Flynn said. He added: "Giving the average of twelve-month lead that is required to replace a damaged transformer today with a new one, if we had a mass damage of that scale at a local regional level the economic and society disruption would be enormous."
Whether foreign hackers cause a widespread energy shutdown—or worse, activate a nuclear meltdown—the U.S. cannot be complacent simply because a life-altering attack has not yet occurred.
A report released last month by Mandiant, a U.S. cybersecurity firm, identified China as the source of nearly 90% of cyberattacks against the U.S. Last fall, these hackers targeted a company that provides remote access to more than 60% of North America's oil and gas pipelines. Their attack was detected, but the company failed to stop the hackers from stealing project files. The nation's Air Traffic Control system has also been attacked by hackers, who stole both personal information and penetrated the ATC servers in 2009. Imagine the damage possible if enemies took command of U.S. commercial aviation.
Cyberattacks on the U.S. and its allies have also come from Iran and Russia. In December, Iranians targeted the state-owned Saudi Aramco, with the goal of stopping Saudi Arabia's oil production. This year Iran conducted multiple denial-of-service attacks on major U.S. banks.
The Department of Homeland Security and the Obama administration have made progress in promoting information-sharing. But the executive branch lacks constitutional authority possessed by Congress to provide the necessary liability protections that industry needs to freely and systematically share cyberthreat information with the federal government. To thwart attacks, we have to see and connect the dots. Congress has a responsibility to establish the statutory processes necessary to solidify and encourage this participation.
Additionally, Congress must build on the administration's efforts in a way that promotes U.S. commerce while not hindering its expansion and innovation. The public sector and privately owned companies that make up the country's critical infrastructure are capable of handling this challenge—and we must aid them in creating lines of communication with the civilian entities involved in making the American economy and infrastructure work.
The Department of Homeland Security has been building its partnerships with the private sector and increasing its capacity as an effective conduit for threat information-sharing. DHS manages a bottom-up network of entities from local first responders to nationwide threat-analysis and emergency-response centers like the National Cybersecurity and Communications Integration Center. The DHS could become a nerve center for sharing cyberthreat information with owners and operators of critical infrastructure—streamlining the defenses against cyberattacks.
Homeland Security already has the ability to provide real-time information necessary for instant threat detection, and to share emerging threat information to enable industry to act immediately to safeguard critical infrastructure. However, legislation that encourages participation by streamlining processes and reducing legal uncertainty for industry is necessary to help the public and private sectors be more responsive and accountable. In the process, care must be taken to protect Americans' privacy and civil liberties.
One of the primary lessons from 9/11 is that only by working together can Americans detect and deter their enemies. After the attack, the walls that prevented agencies from sharing threat information became apparent. In this new era, the government cannot allow turf battles to hamper the development of defenses necessary to prevent cyberattacks.
The House Committee on Homeland Security is working with all stakeholders and colleagues in Congress to foster consensus on necessary, bipartisan cybersecurity legislation. Threats to the U.S. homeland are evolving, both in the real and virtual worlds, and so too must the defenses evolve. Congress needs to act: The threat is real, and this time we have to see it coming.
Mr. McCaul, a Republican U.S. congressman from Texas, is chairman of the Homeland Security Committee.