The U.S. Congress needs to pass cybersecurity legislation creating voluntary standards for businesses operating critical infrastructure before the country is the victim of a major cyberattack, one lawmaker said.
A major attack is coming, said Senator Susan Collins, a Maine Republican and cosponsor of a wide-ranging cybersecurity bill stalled in the Senate.
"We know it's only a matter of when, not whether, we have a catastrophic attack," she said at a Woodrow Wilson Center debate about cybersecurity. "My hope is this isn't a case where Congress does nothing until there is a catastrophic attack on our critical infrastructure and then, inevitably, we will overreact and that will make [civil liberties groups] very uncomfortable."
One major problem with cybersecurity efforts in the U.S. is that businesses being attacked often don't have a complete picture of the threats, said General Keith Alexander, commander of U.S. Cyber Command and director of the U.S. National Security Agency. Government agencies and businesses need better incentives to share information with each other, he said.
"The people who run the networks understand what's happening on their networks, given the information they have," Alexander said. "The problem is they don't have all the information. Government has some, they have some, academia has some, and we're not sharing."
Alexander has voiced support for the Cybersecurity Act, the legislation introduced by Collins and three other senators earlier this year. The bill would create voluntary cybersecurity standards for U.S. businesses and would set up mechanisms for the government to share cyberthreat information with businesses and for businesses to share it with each other.
The nature of cyberattacks is changing, from simple intrusions to disruptive attacks, Alexander said. At some point, attackers may seek to destroy networks or infrastructure such as the electrical grid or stock markets, he said.
While Collins and Alexander called for new cybersecurity measures, Anthony Romero, executive director of the American Civil Liberties Union (ACLU), urged lawmakers to take a thoughtful approach. Government efforts in the area need strong oversight, and some recent proposals in Congress would put the NSA or U.S. Department of Defense in charge of most government cybersecurity programs, he said.
Programs at the NSA or DOD would have little transparency to the public, Romero said.
Romero said he's concerned that the fight against cyberattacks will become similar to the country's decade-old fight against terrorism. "In the name of fighting terrorism, we tortured, we abrogated due process for certain detainees, we opened a military camp in Guantanamo that's still open to this day," he said. "In the name of national security and cybersecurity, we could easily go too far as well."
The Cybersecurity Act had several civil liberties protections, Collins said. Civil liberties concerns are a good reason for Congress to act now, not after a major attack, she said.
In addition to destructive attacks, cybercriminals are stealing U.S. intellectual property, she said. "It is our economic edge, our intellectual property, our R&D, that's being stolen," she said. "It costs billions of dollars and millions of jobs to our country."
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is [email protected]