Home » Cyber » Will it Take a ‘Cyber Pearl Harbor’ to Break Congressional Deadlock?

Will it Take a ‘Cyber Pearl Harbor’ to Break Congressional Deadlock?

by Ward Carroll on November 15, 2012

Even in the face of what most experts label as a potential “Cyber Pearl Harbor” threat, Washington’s partisan divide carried the day on Capitol Hill yesterday, stalling the Cybersecurity Act of 2012 with a Senate vote of 51–47 against the legislation.

The result drew a quick response from the staff of Secretary of Defense Leon Panetta:  “The U.S. defense strategy calls for greater investments in cybersecurity measures, and we will continue to explore ways to defend the nation against cyber threats,” DoD spokesman George Little said. “New legislation would have enhanced those efforts. If the Congress neglects to address this security problem urgently, the consequences could be devastating.”

The gridlock that prevented the measure from moving forward can be tied to the same themes that have kept Congress from taking action on anything, including solving the issues that will keep the nation from going over the “fiscal cliff.”  The White House focused it’s influence on the Senate rather than the House, and Senate Republicans chose to view the legislation not as a national security concern but as a “more proof that Democrats want government in everything” concern.  (What party came up with the Patriot Act, by the way?)

Senate Republicans were unflinching in their dislike of the bill as written.  “[The Senate bill] would have created a new bureaucracy that would have slowed down the process and forced companies to focus on compliance with new government mandates that would not insure better and faster notifications of cyber threats,” Kay Bailey Hutchison of Texas, the top Republican on the Senate Commerce Committee who also is retiring, said in an e-mail to Bloomberg Businessweek.

Meanwhile the issue is also complicated by the fact that companies are left to do the calculus around whether it would be more cost effective –  absent liability laws around cyber attacks — to invest in the hardware, software, and manpower required to effectively prevent cyber attack or to simply weather the attack and fix what breaks afterwards.

History might have to repeat itself — albeit this time with new technology — in that it might take a catastrophic cyber invasion to solve the arguments.

Share |

{ 32 comments… read them below or add one }

Max November 15, 2012 at 3:09 pm

Normally, I side with the Republicans, but on this issue, I disagree. I'm taking a computer security class at college, and I can tell you that if private businesses don't invest in the defenses necessary to defend themselves, they put the entire country at risk; especially those companies that operate critical infrastructure like power plants (especially nuclear), chemical plants, railroads, etc etc. This is definitely a national security threat that we cannot ignore. If private companies don't want to do it themselves, then the government must step in and make it happen somehow, through regulation, financial/tax incentives or something.

Reply

tom November 15, 2012 at 6:23 pm

And the American taxpayer continues to foot the bill for Panetta flying home to California on a USAF jet every single weekend to be with his wife. I can't believe we allow wasteful spending like this!

Reply

Thunder350 November 15, 2012 at 8:21 pm

Your complaining about nickles and dimes compared to other waste…

Reply

blight_ November 16, 2012 at 9:15 am

You should read militarycorruption.com and see what else is on there…

Reply

Michael W November 23, 2012 at 9:05 am

I am sorry, but what does this have to do with anything. He is the secretary of defense. You have to learn to stop letting your hatred of Democrats get in the way of your analysis of the situation.

Reply

tee November 15, 2012 at 6:54 pm

As someone in the business for over 20+ years, "Be-careful of What You Wish For". The Government can't run the Post Office or any other Entity Successfully and you want them to have "Total Control of the Internet" ??? Not a Very Smart Idea.

Reply

Michael W November 23, 2012 at 9:08 am

I completely disagree with tee. We have shown over and over again that certain activities have to be run by the government and not by private industry. Whether or not cybersecurity is such a domain is still being debated, and to what extent the DOD should be involved is to be determined, but I suspect that it will take a cyber-pearl harbor or cyber-911 to cause us to deal with this. It is asking a lot for people to understand the issues up front.

Reply

Speedy November 15, 2012 at 11:00 pm

Side A: We stop this bill from being approved for our own reasons.
Side B: You will allow <XXXX> to happen, then we will blame you.
<XXXX> happens
Side A: Blames Side B for not doing anything about <XXXX> before it happened.
Side B: Does not seem to point out Side A caused the problem.

Rinse, Repeat… and repeat…

Reply

ChrisM November 15, 2012 at 11:48 pm

Partisan? I'd call it bi-partisan gridlock. About as many republicans voted for it, as democrats voted against it. http://votesmart.org/bill/votes/41248#.UKXDzGt5mS

5 republicans voted for it, two abstained. 4 democrats voted against.

Reply

Max November 16, 2012 at 12:21 am

Well, 5 out of 45 Republicans, and 4 out of 51-ish Democrats, doesn't sound very "bi" to me. To me, this should not be a partisan issue, it's a threat against the entire nation. Again, I'm not concerned about the small businesses; I'm concerned about the critical infrastructure firms. I think we all should be. my 2 cents

Reply

SFC C+11 November 16, 2012 at 7:14 am

DoD should not be IN CHARGE of the NATIONS INFRASTRUTURE. Let the Power Companies, Transportation, Aviation, Wall Street, Contractors, and the Government controll their own internet. They can make their own lines secure. They can hire the people needed to secure their internet connections, OR all of the afore mentioned should create their own NET.
DoD has enough to secure, 5 branches, and their own Communications assets to worry about.
The BIG Companies and the rest NEED "GUIDLINES" FROM CONGRESS to get the ball rolling. Make the darn guidlines and be done with it. SECURE THE INFRASTRUCTURE BEFORE IT IS TOO LATE!!

Reply

blight_ November 16, 2012 at 9:15 am

"The BIG Companies and the rest NEED "GUIDLINES" FROM CONGRESS to get the ball rolling"

Usually it's the private sector telling Congress what laws to pass…

Reply

Rational Rob November 16, 2012 at 12:48 pm

Classified Networks are not secure because as long as a human being isn't being actively monitored, there is always the potential for loss of data.

Look at Private Manning.

Reply

Michael W November 23, 2012 at 9:12 am

Dear Rational Rob

The way security works is not perfect, nor is it complete. The general theory is that you pay for the level of security you want, and that in general you try to find the right balance between the cost of security and the danger that results from a lapse. There are many potential weak links, but indeed the human element is central. But this applies to all areas of security, not just cyber security, and we seem to have been able to deal with these other areas well enough (not perfectly and at great expense, but with some effect. We do keep some secrets for example).

Reply

Tad November 16, 2012 at 3:36 pm

Without knowing all the details of the bill, it's very hard to decide whether the Republicans are just being pig-headed, or if perhaps they just feel the bill needs to be better-written. I suppose it's better to slow down, read the legislation, understand its implications, than to have a knee-jerk reaction and pass poor legislation. Let's hope that's the situation here.

Reply

dubweiser101 November 16, 2012 at 6:58 pm

One thing we can all agree on is that the USA does depend on war to inject revenue into its economy and to shift political focus when convenient. History has spoken…

When, where, and how is anyone's guess. Unless you happen to be a member of that tight circle of planners in the proverbial smoky room.

Reply

Max November 16, 2012 at 9:26 pm

I think a lot of lawmakers, not to mention most of the population, is really clueless when it comes to really understanding the danger of hackers and the power of groups with the backing of a national government like China or Russia with huge resources and the ability to hire the most brilliant and educated minds available to focus their attention on one thing: take out infrastructure, put back doors in, steal information, etc in ways that average hackers couldn't hope to match.

Just because someone knows how to use a web browser or read email doesn't mean they know anything at all about computer security issues. I suspect that much of the Republican opposition to this kind of legislation is based on sheer ignorance fo these things, and they are relying on the old tried-and-true approach that "anything that's bad for business is bad for America." The title of this newspiece is apt, because it just might take a Pearl-harbor-like disaster that knocks out electrical power for most of the country for a couple of weeks or more to get their attention. It's bound to happen sooner or later. The US has already done similar things to Iran with their centrifuges with the Stuxnet virus. That virus has now been reverse-engineered and is being used already.

Reply

John November 17, 2012 at 12:41 pm

>>> What party came up with the Patriot Act, by the way?)

I'll take this opportunity to thank the Democrats for repealing the Patriot Act the moment they had control of the House, the Senate and the WH.

What's that you say? They never repealed it, they expanded it? And now Obama has granted himself the power to assassinate US citizens without trial?

And hey, where did all the war protests go?

Reply

The_Hand November 17, 2012 at 6:47 pm

A few comments:

I'm not up to speed on the details of the Cybersecurity Act but I assure you something like it is absolutely necessary. I'm reading some comments here along the lines of "private industry can make their own lines secure", which I think has been utterly disproven over the past fifteen years. Industry has to be dragged, kicking and screaming, toward more secure networks. The only reason networks are more secure today is because of regulations like HIPAA and PCI.

As for air gapping "critical" networks, that's basically what the Cybersecurity Act is trying to accomplish to the degree that it's actually feasible. You can't unhook all the financial servers from the internet and expect business to continue, and even if you did they still wouldn't be automagically secure. Iran's centrifuges weren't hooked up to the internet either. It is possible, using a combination of encryption, tunneling, virtualization, and endpoint security, to enclave critical assets while allowing network connectivity. But these solutions have to be carefully architected, and they cost money, so it'll never happen without government encouragement.

Reply

Brett November 18, 2012 at 2:43 pm

State sponsored cyber criminals steal the very technologies and intellectual properties that both our country and private sector enterprises spend billions to develop. Adversarial nations bring themselves eye-to-eye with the U.S. by investing trivial amounts of money into hacking efforts. Advanced persistent threats sit in wait on the inside of our criticial infrastructure networks to be kicked off when the time is right and to continue to passively sponge up proprietary and secret information. The government alone is not the solution, but should implement a joint public-private consortium to fight and defeat these virtual threat vectors. The government cannot scale to the levels required to govern private sector information security. It should use a combination of incentives and requirements as the path to secure private sector systems. For example, providing tax incentives to those companies that meet security certification and accreditation standards could serve as a return on investment incentive, that when paired with competitive differentiator, could entice enterprises to invest in security. Without a justification, many private sector enterprises will continue to focus on keeping the lights on operationally and not so much securely.

Reply

R L Vitt November 18, 2012 at 3:21 pm

As just a regular guy with internet access, I wouldn't let the government have any control at all over the internet. I they want to have secure DOD computers run them on a separate network. But, I'm not willing to give government the power to shut down internet usage in the name of security. China and Iran as well as many other country's have that power. I'm not willing to let our government have any say at all over our system.

Reply

blight_ November 19, 2012 at 10:32 am
squiddy November 21, 2012 at 12:12 pm

South Carolina’s breach was caused by a phishing attack, and lack of two-factor authentication in their Citrix Remote Access service.

This is hardly a new attack vector – the average high-school kid could pull it off. And one that would be easily prevented by any kind of proper security regime. Office networks with email and web access must *never* be on the same networks, or use the same credentials, as sensitive data – they must be isolated. And two-factor authentication of some form *must* be used for any kind of remote access.

But this isn’t just South Carolina’s problem, the same thing occurs all over the place, including financial houses. How many U.S. banks offer on-line banking? Now how many of those offer two-factor authentication?

The situation is actually pretty desperate, our economy and our infrastructure is far more vulnerable than anyone will admit.

Reply

Max November 22, 2012 at 4:51 pm

US Bank has two or three-factor authentication (depending on how you look at it): UN, security question, and pw. They also do an excellent job of monitoring transactions for suspicious "behavior". They detected someone using my checkcard on a known hacker website within minutes, and called me up, saving me a bunch of headaches.

ING direct is pretty good, too.

Reply

secgauntlet November 24, 2012 at 9:51 pm

I have been and Information Security Professional for over 32 years now. Yes, before most of you all new we had networks and classified processing. I have work for the DOD, DOT, DOE and FAA. I am VERY distressed about the government not stepping up to the plate on increasing the ability of our critical infrastructure entities to protect themselves. We spend billions on new research of weapons systems (laser tech, new bomb, new rifles, etc.), billions on air craft that are so advanced that our pilots can't fly them without a computer and most of all we still have an inverted (for the most part) perimeter within the military, DOD and our Intelligence agencies. Too many chiefs and not enough Indians (pardon the pun but it fits very well). I also agree with some here that do not encourage the Government to lead this effort. Especially any military branch. Their DOD's job is to fight combat wars on the ground and air. The Internet is just not the space or communications for the type of C4I structure to be effective. It take many, many Indians and very cleaver underground types who's criminal record may not allow them to enter the service and carry a gun but in our world, the world of Cyberspace is for people who not NOT play by the rule book. With politics and rules, one will NEVER play in this obscure space and time. This is a space of truly UNCONVENTIONAL warfare. Since 1999, PDD-63 has directed critical critical infrastructure to plan and implement defensive measures for each of these critical entities (Transportation, Water, Electric, etc). BUT almost none have performed any real efforts to protect themselves despite this document being a Presidential Directive. IF they had 9/11 well may NEVER have happened (only speculation on my part). A special entity should be formed outside the Intelligence and DOD community and be allow to do what they need to be done to protect these entities, at a MINIMUM from Cyber events. Proactive and Offensive measure need to be take immediately against other nations such as China, Russia, Africa, to name a few who believe they can hack, social engineer and threaten our way of life though the use of the Internet. It is time the US takes and Offensive Posture on the Cyber warfare front and start kicking some butts. "Control the money and you control a country. Control access to the Internet and you Control everything about a Country, people, commerce, money, and their way of life".

Reply

blight_ November 15, 2012 at 3:34 pm

Goodbye DoD-cloud…

Reply

A.Physicist November 15, 2012 at 5:07 pm

Try telling that to the small engineering/software company with contractors working remotely in three cities. While DOD R&D program managers balk at these kinds of security risks, they are rarely allowed to just say "no". They're explicitly required to support small businesses, which can't afford to be cut off electronically. These small-business networks should be severed from the broader internet, but the DOD folks would be branded as "anti-small-business bullies" by their congressional representatives.

Unfortunately, specifics of the on-site networks — usually due to incompetent design — often allow users to completely bypass those security measures. There's very little auditing done, and virtually no incentive for the business to do it on their own (too expensive, with what is viewed as a tiny risk of intrusion). I have visited offices which have had open wireless networks _behind_ multiple layers of security. Boggles the mind.

Reply

ddd November 16, 2012 at 9:21 pm

I remember a defense official once telling me that the problem comes down to tiny gaps you forget about. For instance, Logistics Command does a lot of its shipping through commercial shippers. That means, at some point, its networks connect to the "open" Internet, providing an unguarded avenue into the myriad networks we run. The same thing goes with all other critical infrastructure. It ultimately comes down to convenience. Are we willing to pay more in inefficiency to avoid breaches in security? So far, it seems that companies are willing to just live with breaches and move on. You be the judge whether that is smart or not. I will tell you one thing though: it is unacceptable that power substations can be reprogrammed over unencrypted, wireless networks.

Reply

The_Hand November 17, 2012 at 6:49 pm

You think cutting the link to the outside makes a network secure? How refreshingly naive.

Reply

Musson November 16, 2012 at 10:37 am

You cannot securitize the Cloud. It cannot be done. I have worked for several major banks and they have all tried and failed to implement a Cloud solution.

Dell did offer to build us our own Cloud that no one else would have access to, but that defeated the low cost and timeliness issues that took us to the Cloud in the first place.

Reply

ddd November 16, 2012 at 9:23 pm

Well you can't control your caps lock…so what does that imply? Hmmm?

Reply

Max November 18, 2012 at 7:58 am

I don't think anyone said that. Your point is a good one, though. Viruses used to be spread through floppies (remember those?) until the internet made it a lot easier. I understand that Stuxnet was able to access the Iranian centrifuge computer controllers, not by internet access, but by someone slipping a usb drive into a computer somewhere with the virus that then found its way where it wanted to go.

There are many ways to attack a network/computer; hacking through the internet is just one; you are right about that. I don't think anyone said or believes what you said, though.

Reply

Leave a Comment

Previous post:

Next post: