The United States has the most powerful military in the world, with nearly 1.5 million active service members. We are prepared to meet threats delivered by land, air or sea – but not threats delivered by computer code.
Yet a bill that would have asked operators of vital infrastructure systems, such as power grids and water-treatment plants, to comply with voluntary cybersecurity standards recently died in the Senate.
In its original version, the bill, backed by President Barack Obama, would have implemented mandatory standards. The bill’s sponsors, Sens. Joseph I. Lieberman, I-Conn., and Susan Collins, R-Maine, backed down only when it became clear they would not be able to muster enough votes, offering a voluntary program instead. Still, Senate Republicans saw the voluntary program as little more than a stepping stone on a path that would eventually lead back to the sponsors’ initial vision.
The proposed compromise bill would have at least given us a start on efforts to improve cybersecurity. I wish it had passed. But I understand why Senate Republicans were reluctant to help the current president gain more authority to tell businesses what to do. Another president might have spent his time in office building the ties and trust with the business community that would justify taking a leadership role in the face of an emerging threat that should concern practically every business manager. Obama has not.
Now, rather than attempting to assuage critics’ fears, Obama has moved in the opposite direction, suggesting that he may just implement the voluntary standards, as best he can, through executive order. The message is obvious: The president is set on getting his way. “An executive order makes clear the administration’s intent to put a mandatory program into place to regulate businesses,” Matthew Eggers, senior director of national security at the Chamber of Commerce, said in an emailed statement reported by Bloomberg.
The price of this infighting is that we are unlikely to get a substantive legislative response to the threat of cyberterrorism any time soon.
Many people still think of hackers as rogue individuals, bent on wreaking destruction for destruction’s sake or on hijacking passwords for personal gain. Those sorts of hackers do exist and are a threat. Just earlier this year, the anarchist hacker group Anonymous claimed responsibility for a second attack on the CIA website. Meanwhile, the Conficker worm, which recruits computers into a botnet, a network potentially capable of being used remotely by hackers, infects around 7 million computers. The botnet could be used to crash particular websites by flooding servers with requests, or it could be used as a supercomputer to break encryption systems and steal financial data. So far, the creators of the network seem more interested in the second purpose. “The people behind [the botnet] apparently want to use it for criminal reasons – to make money,” said Mark Bowden, an expert on Conficker. Last year, officials in Ukraine arrested a group of people using a portion of the Conficker botnet to drain millions from American bank accounts.
Hacking, however, is no longer the sole province of individual rogue programmers. Foreign nations and corporations are increasingly turning to computer-aided espionage as well, C. Frank Figliuzzi, who heads the FBI’s counterintelligence division, recently told Congress.
In one of the most striking examples, the Chinese company Sinovel converted itself from Massachusetts-based turbine manufacturer AMSC’s largest customer to one of that company’s biggest competitors by appropriating its proprietary software, with the aid of a bribed employee. It also recently came to light that one of the Russian spies arrested in the well-publicised bust in 2010 spent some of his time in the U.S. working as an in-house computer expert for a high-profile consulting firm, a position that was likely intended to give him access to proprietary information.
So far, the cyberspies have apparently focused primarily on stealing intellectual property from private companies for the benefit of their own industries, but similar methods could be used for more sinister purposes as well. Four years ago, the public got a glimpse of how cyberwarfare might function when cyberattacks played a minor role in the Russian attack on Georgia, crippling government websites before the military advance. Around the same time, the U.S. was itself secretly advancing the role of cyberwarfare with its coordinated attacks on the Iranian nuclear program.
To prevent a similar attack on American infrastructure, we first need to push CTRL+ALT+DEL on our political conversation on cyberterrorism and cyberwarfare. For that to happen, the president must show more respect for the business community and Republican senators must show renewed willingness to work with Obama and his administration, despite its less-than-business-friendly record. It won’t be easy, but it will be easier than rebooting infrastructure networks if we continue to leave them open to attack.