The cybersecurity bill that went down Thursday to legislative defeat shows the deep schism in Congress that had Democrats siding with traditional national-security defense hawks, and Senate Republicans, who toppled the bill, largely siding with businesses that didn't want government foisting new regulations on them.
The White House today was expressing "profound disappointment" about Republican "obstructionists," claiming that "special interests" were "seeking to avoid accountability" and that the legislation would "better protect our nation from potentially catastrophic cyberattacks." One main point of debate in this now-stalled legislation is whether any new cybersecurity guidelines should be mandatory or voluntary for companies such as electric-power suppliers to follow.
The original cybersecurity bill had made proposed standards mandatory, but even after it was watered down to be more optional, it still didn't win approval from skeptical Republicans who don't want private industry regulated this way. This anti-cybersecurity regulation stance draws fierce criticism from Stewart Baker, an attorney who served at Department of Homeland Security in the George W. Bush administration and the National Security Agency, and whose national-security defense hawk credentials shouldn't be in doubt.
"I would support mandatory requirements because I feel this is a real crisis," said Baker, partner in the Washington, D.C. law office of Steptoe & Johnson.
Long connected in national-intelligence circles, Baker says he's speaking about his own personal point of view when he discusses the now-stalled cybersecurity bill.
Having voluntary standards for security simply isn't sufficient, Baker warns. But he acknowledges any type of new standards related to network security and audits "could be expensive." The North American Electric Reliability Corp. (NERC) Critical Infrastructure Protection guidelines in place today simply aren't enough, he says. Baker has been an advocate of in-depth government-based auditing over networks providing critical electric supply, noting that a number of countries in Asia, including China, follow this practice.
Baker says the need for this kind of government oversight for vital infrastructure may eventually be "learned the hard way" when cyberattacks one day take down the grid or disrupt other critical resources the public takes for granted. But instead of lengthy debate and compromise over cybersecurity legislation, the ensuing panic in a crisis might result in extreme legislation that becomes law.
Industrial control systems (ICS) increasingly involve components that include Windows-based and other network products familiar to enterprise IT shops, and updating ICS-based networks is difficult, companies have admitted, as they did at the recent Industrial Control Systems Working Group meeting organized by DHS in May in Savannah, Ga. And of course, the covert U.S. and Israeli attack by means of the Stuxnet weaponized malware two years ago against the Siemens control systems in an Iranian plant suspected of developing a nuclear weapon has become a clear sign that cyberattacks are real.
One of the problems is that companies are simply in denial about cyberattacks, Baker says. "We have to persuade companies that own the infrastructure that they really are at risk of attacks from adversaries that have names and addresses," he says. He adds the intelligence community should be stepping up to "do a better job" to share information about attackers.
Stewart says the White House is so concerned about the potential for cyberattacks that if the cybersecurity bill fails this time around, he wouldn't be surprised if President Obama might look for the authority to issue an executive order to strengthen the government's hand in regulating critical infrastructure.
Others say they also feel there's a sense of urgency in setting mandatory security and audit requirements that would involve stricter government oversight for industries such as electric power.
Chris Petersen, CTO at LogRhythm, says it's his personal view as someone who feels patriotic toward his country, that it's time to have effective mandatory requirements over critical-infrastructure such as the power grid and water systems.
Petersen says the situation in terms of ongoing attacks already feels like "a perpetual state of war" as attackers, possibly including nation-states, are constantly probing networks. New government regulation probably would add expense, he acknowledges, so it might be a good idea to have some sort of "subsidy" to cover that, he says. "But there needs to be some sort of auditability and enforcement."
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org.