‘We Would Lose’ Cyberwar if Attacked, Ex-Intelligence Chief Says

The Cybersecurity Act (S-773) has gone through four drafts since it debuted last year to widespread concerns it would give too much power to the executive branch (WID June 1 p1), said Committee Chair Jay Rockefeller, D-W.Va. “We kept calling in the stakeholders” and revising provisions they found problematic. But last week’s Cyber ShockWave simulated cyberattack (WID Feb 17 p1) removed any doubt that the U.S. needs “strong top-level coordination” to successfully respond to an attack, Rockefeller said.

Sen. Olympia Snowe, R-Maine and cosponsor of the committee bill, said they've had “literally hundreds of meetings” with interested parties. Though they met recently with new federal cybercoordinator Howard Schmidt, leaders remain worried the job lacks “heft” and a direct line to the president, she said. The cyberattacks on Google and other companies traced to China “should serve as a wake-up call to those who have not taken this problem seriously."

"If the nation went to war today in a cyberwar, we would lose,” McConnell said. The U.S. can’t “mitigate the risk,” he said bluntly: “We're going to have a catastrophic event” that will spur a more forceful reaction from the government unless the committee bill becomes law. “We're going to have to morph the Internet” from its commercial focus, symbolized by the .com domain, to a “dot secure” framework, based on authentication, data integrity and “non-repudiation,” McConnell said.

If the history of federal regulation of railroads and automobiles is any indication, the Internet is due for serious regulatory intervention -- a rare point of agreement with China, McConnell said. U.S. currency is based on “accounting entry” and thus the financial system is most vulnerable to attack: An extremist group could “scramble” financial data and shake public confidence. McConnell also warned the U.S. will have to develop a cyber “pre-emption” policy.

Many FCC cybersecurity recommendations will be addressed in the National Broadband Plan, said James Barnett, chief of the Public Safety and Homeland Security Bureau. Communications licensees already provide the FCC near-real-time data on outages and network problems, so it’s well positioned to manage “situational awareness” of the broader Internet, he said. The commission is considering a voluntary certification program to get out its cyber best practices developed by a previous working group, and it’s talking more to regulators abroad on the issue, Barnett said: “We're at the start of a long journey."

The Internet is a “Hobbesian environment” and it can’t succeed under a “do-it-yourself, homebrew approach to cybersecurity,” said the Center for Strategic and International Studies’ James Lewis, who led a commission to draft cybersecurity recommendations for the incoming White House in 2008. The committee bill would make cybersecurity “more perfect” in the near term, he said: “We don’t have decades to do this” as with other big federal initiatives.

The standards-setting process historically employed by the federal government can’t work for cybersecurity, said Scott Borg, director of the U.S. Cyber Consequences Unit, a nonprofit research group affiliated with Tufts University. Having studied the cybersecurity posture of critical infrastructure since 2004, the group has concluded that “broken or missing markets” are the culprit, he said. The biggest growth opportunities, such as cloud computing and smart devices, “could be brought to a screeching halt” if their cybervulnerabilities were better known. The government needs to spur entrepreneurial activity, not spend years developing backward-looking standards, Borg said.

The rush to connect everything to the Internet has exposed critical infrastructure to “systemic risk” it wasn’t designed to handle, said Oracle Chief Security Officer Mary Ann Davidson. “'Move the control rods in and out of the reactor? There’s an app for that,'” she said, mocking Apple’s commercials. The U.S. educational system doesn’t teach software designers to “code defensively,” a problem Oracle has raised with several universities to no avail, she said: Schools “fiddle while Rome is being hacked.” The government should link research funding to “phased change” in university technology curricula and insist on more transparency for smart-grid components, Davidson said.

McConnell agreed the U.S. should make investments in better coding programs for youth as the “necessary starting point” for larger efforts. China and other big countries have the resources to do far more investment than the U.S., he said. Some companies will never “do the right thing,” so the U.S. must apply mandates at some level so the network effects of noncompliance don’t spread to responsible companies, Lewis said. “Markets are engineered into existence” by regulation and the government needs to remove impediments to investment, Borg said. The “compartmentalized” nature of financial regulations means multiple congressional committees need to coordinate efforts to secure vulnerable financial networks, McConnell said.

Sen. Mark Pryor, D-Ark., probed the FCC’s Barnett on the extent of the role that Barnett envisioned for the commission. Pryor asked if businesses can “talk among themselves” without fear of antitrust or other regulatory violation. That’s exactly where the FCC can play a role, Barnett said: Regulated providers won’t share information with each other but they do with the commission, which keeps information confidential.