Five reasons why cybersecurity is a tough nut to crack

With the Senate hoping to end its deadlock on wide-ranging cybersecurity legislation as early as next week, calls are growing for Congress to do something — anything — to secure America’s computer networks.

The security firm Symantec estimates that businesses around the world lose at least $114 billion annually to cybercrime, and rarely a day goes by without a government official warning of a “digital Pearl Harbor.”

Besides the gridlock that has plagued Congress, there are several reasons why lawmakers have struggled to find ways to combat cyberthreats. Here are five of the most important ones:

Private ownership. Most computer networks in the country are owned and run by private businesses — by some estimates 80 to 90 percent. Civil-liberties advocates fear a wider government role could undermine privacy and free speech. Businesses say government regulation would only add to their burdens.

Federal officials say they need tools to ensure that critical networks like electric grids and water-treatment plants meet basic security standards.

But the White House-backed Cybersecurity Act of 2012 has been delayed in the Senate by concerns among some Republicans and by business objections to a provision that would grant the Homeland Security Department authority to help set minimum security standards for certain critical networks. Businesses, those critics argue, know their networks better than any government regulator might.

Privacy. Lawmakers of both parties and businesses say new rules are needed to allow firms to tell government agencies about more of the attacks they face, and to give government agencies a green light to share more classified intelligence they collect on cyberthreats.

But civil-liberties groups say that many information-sharing measures are based on undermining consumer-privacy laws and could give government officials broad new powers to monitor Americans’ communications.

Americans, meanwhile, also don’t appear to be sold on the idea of more information sharing, a recent United Technologies/National Journal Congressional Connection Poll found.

Sixty-three percent of respondents said that government and businesses should not be allowed to share information because it would hurt privacy and civil liberties.

Competing agencies. Many current and former officials envision a collaborative effort with the Homeland Security Department focusing on protecting critical domestic infrastructure like electric grids and water-treatment plants and the Defense Department taking the lead in heading off foreign cyberthreats.

But that’s a hard line to draw in cyberspace, where attacks routinely cross borders and target government as well as private organizations and individuals.

The debate centers on fears that DHS and law-enforcement agencies don’t have the capability to confront major cyberattacks. Concerns over civil liberties, meanwhile, have dogged efforts to have the Defense Department and National Security Agency, with its cyber capabilities, take a larger role in domestic cybersecurity.

Now the interagency turf war has spilled over into Congress, where more than a dozen committees have a piece of the cybersecurity pie.

Changing technology. A constant refrain from industry lobbyists is that technology changes too quickly for government regulations to keep up. It’s an argument that has been used effectively against legislation on issues like privacy and online competition.

“Cyberthreats change so quickly that any legislation must also protect the ability of the private sector to be fast and agile in the detection, prevention, mitigation, and response to cyberevents that can have national or global impact,” a coalition of business groups wrote in a letter to Congress in April.

Scope. The bottom line is that “cybersecurity” encompasses a universe of security problems that arise in cyberspace.

The term can describe anything from theoretical cyberattacks by terrorists or enemy states that send aircraft plunging out of the sky to malware installed by a hacker to steal e-mail passwords. Trying to solve all potential cybersecurity problems can be like trying to stop pickpockets and nuclear war at the same time.

And then there’s debate over how big the threat really is.

Among lawmakers and officials who fear being held responsible if the worst should happen, there is broad agreement that a “cyber 9/11” could be just around the corner. Others, however, are less convinced. A report last year by the Organization for Economic Cooperation and Development, for example, found that the risk of an all-out cyber war was very low.

(Image via bloomua/Shutterstock.com)