How the U.S. plans to defend the nation’s critical infrastructure from hackers and other attackers remains in limbo… again.
As in 2012, legislators seem no closer to defining what safeguards can and will be implemented to prevent military and commercial networks from being breached. At a March 7 Senate cybersecurity hearing, members of both parties spoke positively of resolving their differences, but apparently moved no closer to an actual solution.
Concerns over cybersecurity fall into two categories: military and government-owned infrastructure, which could be targeted by foreign governments for the purposes of intelligence and possibly disrupting military preparedness; and the private sector, which is probably even more vulnerable to attack.
The military’s concerns can been best summed up by an 18-month study authored by the Pentagon’s Defense Science Board, which was published in January. In it, the Pentagon concluded that “the cyber threat is serious and that the United States cannot be confident that our critical Information Technology (IT) systems will work under attack from a sophisticated and well-resourced opponent utilizing cyber capabilities in combination with all of their military and intelligence capabilities (a ‘full spectrum’ adversary).”
That conclusion was based upon the historical success these adversaries have enjoyed in penetrating the nation’s networks, as well as the “relative ease” that teams simulating foreign attackers, knows as Red Teams, have experienced in disrupting or beating the Blue Teams representing the U.S. defense forces. That success was due to exploits which are currently available on the Internet, as well as the “weak cyber hygiene position” of networks and systems owned by the Department of Defense. One of the report’s recommendations are isolated, “Battlestar Galactica”-style groups of aircraft that could be kept separate as a “cyber critical survivable mission force,” to give the President an additional option in the case of a large-scale cyberattack that would cripple the nation’s military.
But from a commercial standpoint, businesses are concerned about two related elements: liability, and their stock price. Homeland Security Secretary Janet Napolitano wants a bill that includes expanding information-sharing capabilities, rewarding companies that implement voluntary cyber-standards, plus an increase in law-enforcement powers to fight cybercrimes and the power to establish rules for when companies must disclose data breaches. All of those hide potential political pitfalls.
Republicans killed a similar bill last year out of fear that a cybersecurity bill would generate too much government regulation. AT&T and Comcast are among those companies that favor a separate bill from House Intelligence Committee Chairman Mike Rogers, which focuses solely on cyber threat information sharing, giving legal protection for companies that share such data with each other and the government.
For now, the DHS (like other government agencies) is affected by the sequester, the large, across-the-board cuts that were triggered on March 1. Napolitano warned that the cuts have forced the DHS to “scale back the development of critical capabilities for the defense of federal cyber networks.”
It’s hard to believe that the military won’t be able to find some way to secure funding for protecting military infrastructure. But once you move into the more complex regulation surrounding the private sector, the knots of regulatory compliance will likely take some time to tease out. This debate looks no closer to a successful resolution.