Editor’s Note: Katrina Timlin is a Research Assistant for the Technology and Public Policy Program at the Center for Strategic and International Studies.
By Katrina Timlin – Special to CNN
Few would argue against the need to improve U.S. cybersecurity, but the current partisan divide on how to accomplish this goal threatens to stall much-needed legislation in this area. On February 14th, Sen. Joseph Lieberman (I-CT) and Sen. Susan Collins (R-ME) introduced the Cybersecurity Act of 2012, a bill that aims to improve US cyber defense, clarify responsible government oversight authorities, raise issue awareness, and promote information sharing between the private sector and the government. Citing the rapidity with which this bill was brought to the floor and its “prescriptive regulations,” seven GOP senators are seeking to delay this bill and will propose their own cybersecurity legislation on February 21st. The legislative progress on cyber defense is now stalled, and further delays could prove damaging to U.S. economic and national security.
The main impetus for cyber legislation is not some future “Cyber Pearl Harbor”, but the current proliferation of espionage and hacking that erodes U.S. economic and military competitiveness. In an opening statement before the Senate Homeland Security and Government Affairs Committee discussing this cyber legislation, Senator McCain cited a report that claimed attacks on government agencies have risen over 650 percent over the past five years. There is bipartisan consensus about the frequency, growth, and severity of cyber breaches.
Although private sector statistics of cyber incidents are difficult to obtain, it is safe to assume most multinational corporations are similarly threatened by cyber attacks. Even the most technologically advanced U.S. companies, such as Google and RSA, a network security company, have been hacked and lost valuable information.
These breaches show that no one is immune: the current cybersecurity infrastructure, based on voluntary security measures and marginal incentives, is woefully inadequate. The sum of exploitable vulnerabilities in U.S. critical infrastructure, financial, and defense contracting companies undermines U.S. national economic competitiveness. This is not a hypothetical or apoplectic assertion - weak cybersecurity has enabled U.S. adversaries to pilfer sensitive military technology and obtain information in advance of global summits, eroding America’s economic, political, and military strength.
Weak cybersecurity renders America less secure on a global strategic level. Around seventy countries are building cyber capabilities for their military or national defense infrastructure. Among the most capable countries are Russia and China, historical competitors with America. Although they are unlikely to launch a spontaneous cyber attack, it is understandable they are probing our vulnerabilities and testing the limits of cyber espionage. America’s competitors have clear incentives to seek economic and military advantage through these ‘illicit’ means, and America’s inability to properly defend its cyber infrastructure is only facilitating this nefarious behavior.
Greater economic and national security will not come from voluntary measures as the status quo idealistically hopes, nor should this be a reasonable expectation of narrowly self-interested firms. Companies are tasked by their shareholders to make a profit - not to assume the mantle of national security.
As James Lewis, Senior Fellow at the Center for Strategic and International Studies in Washington, D.C., remarked: “continuing to use voluntary, market-driven approaches to this new national security concern is irresponsible and guarantees a successful attack against our nation.” It is the role of the government to mandate better cybersecurity measures that help the public good, not to hope that companies will increase their IT expenditures own their own.
These cybersecurity regulations are contentious, as Republicans and some industry leaders have come out against what they view as onerous regulations that will stifle economic growth and innovation. Instead, they call for further-information sharing and risk-based assessments of critical infrastructure to counter the cyber threat. This would be an ineffective defense. Auto safety did not improve by sharing information about the effectiveness of airbags and seatbelts as opposed to mandating their use.
Certain regulations must simply be enacted to provide greater national security. America needs a higher bar of mandatory industry best practices and improved information sharing that will be applied to a broad range of technology companies. These regulations might impose higher costs, but as a result U.S. companies will be able to better safeguard their intellectual property and minimize the aggregate effect of a cyber-attack. Additionally, these costs pale in comparison to the cost of recovering from a major cyber attack - in 2008 it took the Pentagon 14 months to re-secure their networks after a severe breach.
Ultimately, it is the task of our legislators to weigh industry concerns against the greater public good and create a foundation for better cyber security. Let’s hope that this Congress is up to the task and does not postpone this important legislation.
The views expressed in this article are solely those of Katrina Timlin.