With cyber attack threat rising, Senate bill falters
Update: On Thursday, after days of behind-the-scenes talks fell short of a bipartisan compromise, the Senate failed to advance the cyber security bill -- throwing into question the bill's future. The cloture vote was 52-46, with 60 votes needed to stop debate and proceed to a final vote on the bill.
U.S. Sen. Roy Blunt, R-Mo., voted to continue debate, saying afterward that senators "should have the chance to amend and improve this legislation, and we need to work together to produce the best bill possible." Voting to stop debate and advance the bill were U.S. Sens. Dick Durbin, D-Ill., and Claire McCaskill, D-Mo., who said she wants an effective cybersecurity bill but had hoped to offer three amendments to ensure competitive and efficient contracting related to cyber security.
"The Chamber of Commerce has really put the screws to [block] this legislation," McCaskill said in an interview. While she wants an effective cyber security bill, McCaskill told the Beacon she was "hesitant about some parts of the bill" and would like to offer amendments "to make sure the Homeland Security Department doesn't rely exclusively on contractors to carry out the directives. We've had a bad experience with DHS when it comes to contractors" -- with "runaway spending" and little accountability to taxpayers. End of update.
Read the Beacon's earlier story below:
WASHINGTON – A train carrying toxic chemicals derails near St. Louis, emitting deadly fumes. Water treatment plants in Illinois suddenly lose power and shut down, leading to a shortage of clean drinking water. A credit-card processing center is hacked and millions of cards are cancelled because the numbers are posted on internet sites.
Those are some of the nightmare scenarios of a major cyber attack – the use of malicious software to invade computer networks of companies that operate much of the nation’s critical infrastructure systems, including finance, transportation, the electric grid, water utilities, power plants and chemical refineries.
“There are 111 power plants in Missouri,” says U.S. Sen. Roy Blunt, R-Mo., a member of the Senate Intelligence Committee. “They are all, in some way or another, hooked into the grid that can be disabled in a significant way.”
Blunt said intelligence officials regard cyber attacks as “our greatest area of vulnerability ... because it involves everything. It involves how we communicate. It involves how we get gasoline. It involves how we power everything from the drinking water system to the electricity at home.”
This week, the U.S. Senate was scheduled to take up what some regard as a watered-down cyber security bill, sponsored by U.S. Sens. Joe Lieberman, I-Conn., and Susan Collins, R-Me., that would take some initial steps toward strengthening weak cyber defenses in the nation’s private sector. (The federal government and military have comparatively strong cyber defenses.)
The bill offers more of a carrot than a punitive “stick” approach to convincing companies to bolster their computer security, rather than imposing specific plans. The Homeland Security department (DHS) would suggest “cyber security performance requirements” and define “critical infrastructure” to be protected. But firms could help develop and propose performance requirements and would have the flexibility to meet the cyber security requirements in a way they believe is appropriate.
“We are going to try carrots instead of sticks as we begin to improve our cyber defenses,” Lieberman said in a statement. But if voluntary steps fail, “a future Congress will undoubtedly come back and adopt a more coercive system.”
While the Lieberman-Collins bill is advertised as bipartisan, it is controversial. Critics, including numerous GOP senators and U.S. Sen. Claire McCaskill, D-Mo., want to amend the current bill because of concerns that it would impose too many oversight layers, give the DHS too much power and entwine companies in unnecessary red tape.
McCaskill said that many Missouri firms “operating or associated with the types of critical infrastructure that will be subject” to the bill’s provisions had “raised concerns that, as currently structured, (the Lieberman-Collins bill) would create redundant oversight structures and add additional standards.”
In a Senate statement, McCaskill added that the bill “may have the effect of creating a new federal system that these entities will have to comply with even though many already work within well-established systems related to developing security standards and responding to cyber threats. I cannot support legislation that creates new and duplicative systems that will impact Missouri businesses in a negative way.”
An alternate bill offered by Sen. John McCain, R-Ariz., called the Secure IT Act, does not mandate cyber security for companies and leaves out specific mention of cyber security protections for critical infrastructure. Instead, McCain and allies want to widen information sharing about cyber threats between industry and the government. He especially objects to bolstering the role of the DHS, which he contends has “an abysmal track record” in other security areas.
“I question the logic of putting this agency in charge of sensitive national security matters,” McCain said during the debate. “They can’t even screen airline passengers without constant controversy.”
Obama weighs in as NSA warns of cyber attacks
The former Illinois senator who defeated McCain for the White House, President Barack Obama, has been pushing for Congress to act quickly on cyber security. In an op-ed in the Wall Street Journal that seemed aimed at GOP senators, Obama wrote that he convened an emergency cabinet meeting recently to deal with a simulated cyber attack.
While hackers have not yet badly damaged critical infrastructure in this country, Obama wrote that “foreign governments, criminal syndicates and lone individuals are probing our financial, energy and public safety systems every day.” Hackers have penetrated networks related to natural-gas pipelines and the controls of a water plant in Texas.
“In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home,” Obama wrote. “Taking down vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency. And as we've seen in past blackouts, the loss of electricity can bring businesses, cities and entire regions to a standstill.”
Among the most knowledgeable officials who see the need for congressional action is Gen. Keith Alexander, who heads the National Security Agency – which eavesdrops on communications worldwide – as well as the U.S. Cyber Command, which runs this nation’s offensive cyber operations. At the Aspen Security Forum, Alexander said computer intrusions by hackers, criminals and governments against U.S. infrastructure had risen 17-fold between 2009 and 2011.
This month, the Bipartisan Policy Center’s Cybersecurity Task Force reported that more than 50,000 cyber attacks on private or government networks were reported to the DHS between last fall and February – 86 of those aimed at critical infrastructure networks.
Comparing today’s lack of preparation to defend against a major cyber attack to the nation’s security lapses before 9/11, U.S. Sen. Dick Durbin, D-Ill., said, “There’s an overwhelming, bipartisan consensus among officials in the intelligence, defense and national security community that America is incredibly vulnerable to a cyber attack that can be launched at any moment from anywhere in the world.”
Current and former U.S. intelligence officials, Durbin said, have jointly warned against a “catastrophic cyber attack that could cripple our nation’s economy, cause widespread loss of life, and send our economy into freefall.”
Blunt a 'swing vote' in cyber debate?
During the ongoing discussions about the committee bill, Blunt has been regarded as a possible swing vote because he wants action on cyber security but is open to compromise to make the bill less onerous to business.
For example, U.S. Sens. Sheldon Whitehouse, D-R.I., and Jon Kyl, R-Ariz., have suggested expanding the bill's liability protections in a way that might draw support from utilities that own power plants, water systems and other critical infrastructure.
“When we talk about cybersecurity, we’re not talking about the government somehow securing everything that happens in the cyber-world,” Blunt said in a Senate colloquy. While conceding that there are “competing concerns” on the approach to cybersecurity, Blunt said “they don’t need to be mutually exclusive at all.”
The disagreements, Blunt said, boil down to this: “How do we define that critical infrastructure, and how do we do it in a way that is the most responsible -- protecting civil liberties at the same time we are carving out a spot where government has some obligation. “
Privacy is indeed an issue to some senators, as it was when the House debated – and passed – a cyber security bill this spring. For example, U.S. Sen. Ron Wyden, D-Ore., is pushing an amendment to prevent
In her Senate statement, McCaskill agreed that Congress should take action to address the nation's vulnerability to cyber threats, but asserted that the Lieberman bill was flawed because “cyber security legislation must improve the regulatory scheme and streamline processes for businesses, not the opposite.”
She said the bill’s “carrot and stick approach” would limit the sharing of cyber threat information to firms that take part in the voluntary cyber security program and develop standards. Those firms would get real-time cyber threat information, which others would not. “Given that sharing such information could potentially thwart a cyber attack, it seems absurd that such information would go unshared because a particular entity was not a participant in the voluntary system,” McCaskill said.
If the Lieberman bill can be amended to meet her concerns, McCaskill said she would vote for it. “Whether now or in the future, the Senate does need to pass legislation,” she said. “But it must be legislation that is well crafted, balanced and workable for the businesses that will operate under its scheme.”
Blunt, who also would like to see changes, says the time to act is now. “If you’re in almost any kind of business, you’ve either been attacked, are going to be attacked, or are being attacked right now – maybe for malicious purposes, maybe just to see if they can do it, how they can get into your system,” he said.
“We’re going to pass a cyber security bill at some time . . . either in a considered, thoughtful way or in a post-cyber attack moment, like a post-9/11 moment, and who knows what we might do?”
He added: “The wrong way will be waiting too long. The right way is to do this now.”