The battle for cyber securityPosted: 16/08/2012
By Nigel Inkster, Director of Transnational Threats and Political Risk
The recent failure of a major cyber security bill in the Senate shows just how complicated it is going be to properly protect the United States’ infrastructure from hackers and online spies. With the nation’s power grids, transportation and water supply all heavily dependent on computer networks, national security officials have long argued that regulation and minimum security standards will be necessary to guard against cyber attacks. But there is political resistance to introducing these, because of privacy concerns and questions over the role of government.
An estimated 85% of US infrastructure is owned and operated by private companies.
According to National Security Agency (NSA) Director and Head of US Cyber Command General Keith Alexander, there was a 17-fold increase in cyber attacks on critical infrastructure between 2009 and 2011. He has rated America’s ability to cope with a major attack at three out of ten.
Earlier this month, a Republican filibuster blocked the revised Cybersecurity Act of 2012 (CSA), which was introduced by Senators Joseph Lieberman and Susan Collins with White House backing. Despite further support from leading national security officials, the bill failed to gain the necessary two-thirds majority, securing only 52 votes in favour, instead of the 60 needed. Many Senators have promised to push on with the 200-page bill when they return in September from the recess. However, it is unlikely to be reintroduced until after the presidential elections in November.
Instead, President Barack Obama is said to be considering an executive order to protect critical computerised infrastructure.
The CSA bill has already involved compromises. In its original form, it mandated federal government investment in cyber security; provided for information sharing between the private sector and government agencies; mandated minimum security standards for private operators of critical infrastructure; and made provisions for private companies to take action against cyber threats – for example by disrupting Internet traffic.
However, in the face of strong opposition from the powerful US Chamber of Commerce (representing the private sector), the provision for mandatory minimum security standards was watered down to proposals for voluntary compliance and government incentives. These changes did not, however, satisfy the business community, nor did they placate Republican senators ideologically opposed to greater government regulation, and who are loath to grant the White House any legislative successes in an election year.
The US civil-liberties community was also concerned about the bill, because of the data-privacy implications of Internet companies such as Google and Yahoo sharing information with government agencies, whether on a mandatory or voluntary basis. The bill’s failure gives them a slight reprieve, but the question of regulation won’t go away.
The dilemma facing the US, or any country that provides some critical services through the private sector, is that citizens will look to the government for a response in the event of a serious cyber malfunction or discontinuity, when the government will not have a direct remedy.
The risks of such a discontinuity appear remote to the private sector, and the financial implications of investing in greater levels of security unacceptably high. The private sector also argues that excessive regulation will inhibit its ability to generate the kind of technical innovation most likely to combat threats. And while this is a self-serving argument, there is a case to be made that measures like the cyber security bill could turn out to be a legislative straitjacket – providing insufficient flexibility to cope with the speed of technical innovation and imposing a high level of bureaucratic compliance, at the cost of a truly effective risk-management culture.
Civil-liberties campaigners – who tend to dismiss talk of cyber threats as overblown – called the bill ‘a surveillance bill in disguise’, although the American Civil Liberties Union (ACLU) acknowledged that amendments to the original draft represented an improvement. These amendments included provisions restricting information-sharing to civilian agencies – excluding, for example, the NSA – and stipulated that such agencies must provide annual reports on what information had been received, and how it has been used.
The United States is not the only country grappling with the complex set of problems posed by cyber threats, although its pre-eminence in the field does mean that countries will watch carefully any legislation it enacts. The European Union is also reported to be on the brink of introducing binding legislation designed to enable member states to achieve a common minimum level of cyber security. Although details of this legislation have not yet been made public, they are thought to include proposals that oblige private companies to notify governments of cyber-security breaches, incidents and attacks – something many companies are reluctant to do because of the reputational and financial implications.
For the foreseeable future, it seems probable that any progress towards greater levels of cyber security will be incremental. It may take a major incident to spur attitudes and behaviours towards more radical measures.