A panel of security experts urged Congress on Wednesday to do something—anything—to combat cyberthreats to the United States.
The panel of witnesses before the Senate Homeland Security and Governmental Affairs Committee had specific recommendations, but with a nearly unified voice they all agreed that moving ahead with any current legislative proposals is better than doing nothing.
“If we don’t act now, I can assure you that whatever comes after something bad happens will be much more draconian and not as constructive as it could be,” Frank Cilluffo, director of George Washington University's Homeland Security Policy Institute, told the committee.
Senate Majority Leader Harry Reid, D-Nev., has said he wants to move forward with floor debate on the Cybersecurity Act of 2012 by the end of July.
The bill is championed by leaders of the Senate Intelligence, Commerce, and Homeland Security committees, including Homeland Security panel Chairman Joe Lieberman, ID-Conn. But the bill has been delayed for months because some Republicans don’t want the Homeland Security Department to have the authority to help set security standards for some private networks.
But former National Security Agency and Central Intelligence Agency Director Michael Hayden said all the proposals on the table, including standards, information sharing between businesses and government, and a potential increased role for U.S. intelligence agencies, should be enacted.
Any potential problems can be ironed out later, he said. “I’d do them all. And I would keep an open mind a adjust fire in a year or two.”
Earlier this week, the head of the U.S. Cyber Command, Gen. Keith Alexander, urged lawmakers in a speech to enact a bill before a catastrophic attack leads to an overreaction.
RAND Corp. terrorism analyst Brian Michael Jenkins said any bill won’t be 100 percent right. But, he said, “It’s important to get these things moving rather than finding the absolute perfect legislation."
That did not sit well with Senate Armed Services Committee ranking member John McCain, R-Ariz., who is a chief critic of Lieberman’s Cybersecurity Act and who has introduced competing cybersecurity legislation of his own.
Invoking the Hippocratic oath, McCain rebuked the witnesses for not acknowledging the potential harms he sees in giving government officials the authority to set security standards. “The first principle is do no harm,” McCain said. “The thing we don’t want to do is do something wrong.”
McCain and other Republican committee leaders are pushing their own bill, which mirrors many of the Cybersecurity Act’s proposals such as encouraging businesses and government to share cyberthreat information with each other, but leaves out any new authority to set standards.
Several compromise proposals are in the works that would soften some of the standards proposals.
But many of the proposals are still eliciting pushback from businesses, which don’t want new regulations, and civil liberties advocates, who fear information sharing could undermine privacy.
The latest United Technologies/National Journal Congressional Connection Poll found that despite expressing concern over cyberthreats, a majority of Americans don’t favor information sharing because of privacy concerns, and are opposed to government-set standards.
Homeland Security Committee ranking member Susan Collins, R-Maine, has held on as the lone GOP cosponsor of the Cybersecurity Act. She said the protection of critical networks such as those connected to electric grids and water-treatment plants can’t be left up to voluntary measures.
Waiting to act, Collins said, is risking a catastrophic cyberattack.
“I can think of no other area where the threat is greater and we’ve done less to counter it,” she said.
Credential-stealing malware / User accounts compromised / Software vulnerability
See threatwatch report