recommended reading

9/11 haunts debate over cybersecurity

Moshe Bursuker/AP file photo

More than a decade after the Sept. 11, 2001, terrorist attacks, the tragedy haunts Washington policymakers who are deadlocked over how to protect the country against cyberattacks.

Current and former government officials have spent months pointing to 9/11 as a harbinger of what could occur if Congress, federal agencies, and businesses don’t act to update policies that govern how cyberthreat information is shared; how threats are monitored; and what standards should guide national cybersecurity.

“We’ve got an opportunity to do what we didn’t do before 9/11. We’ve got an opportunity to fix this problem before we’re attacked,” Senate Homeland Security and Governmental Affairs Chairman Joe Lieberman, ID-Conn., told National Journal in an interview earlier this year. “I hope and pray that we deal with it, and we don’t run around frantically after an attack to close loopholes we can close now.”

Lieberman was the lead sponsor of the Cybersecurity Act of 2012, which failed to advance before Congress recessed in August. Republicans, backed by business groups such as the U.S. Chamber of Commerce, say the bill could lead to burdensome government regulations that could never keep up with ever-changing cyberthreats.

FBI Director Robert Mueller has said he thinks the danger of damage to U.S. computer networks—including those that control vital systems such as power grids and nuclear plants—is well on its way to overtaking terrorism as the top threat to the United States.

President Obama is considering a number of ideas for a draft executive order that could be used to enact some reforms if Congress fails to act on cybersecurity, but no decision has been made. Even if Obama moves forward, he’s limited in the steps he can take and Congress will continue to face pressure.

Throughout it all, 9/11 has cast its shadow as lawmakers and government officials seek to inoculate themselves against blame should a catastrophic attack happen.

“We carry the burden of knowing that 9/11 might have been averted with the intelligence that existed at the time,” a group of former officials wrote in a letter to Congress this summer. “We do not want to be in the same position again when ‘cyber 9/11’ hits—it is not a question of whether this will happen; it is a question of ‘when,’ ” said the letter. Among its signatories was Michael Chertoff, who headed the Homeland Security Department under President George W. Bush.

Senate Commerce Chairman Jay Rockefeller, D-W.Va., another of the cybersecurity bill’s sponsors, recalled the 9/11 warning signs that were missed in 2000 and 2001 when discussing the issue during this summer’s debate.

“Our intelligence and national-security leadership took these matters seriously, but not seriously enough,” he said. “Then it was too late: 9/11 happened.”

Although the terrorist attacks have been used as an example of why the United States needs to be proactive in confronting cyberthreats, the civil-liberties legacy of government action taken in their wake is complicating the debate. Privacy groups, for example, have warned that cybersecurity could be used as an excuse to extend government surveillance powers. A House bill aimed at encouraging cybersecurity information-sharing between businesses and government passed the House in April but was roundly criticized as providing a backdoor opportunity for officials to monitor private communications.

Some doubt whether a cyberattack could cause the same loss of life and physical destruction that occurred on 9/11. So far, there have been no examples of major physical damage or deaths related to online-based attacks.

Howard Schmidt, who stepped down as the White House’s top cybersecurity official earlier this year, has long been an advocate of toning down the rhetoric over cybersecurity. And Gen. Keith Alexander, who heads the National Security Agency and U.S. Cyber Command, says that al-Qaida has yet to achieve the capabilities to launch a major cyberattack on the United States.

Nevertheless, both Schmidt and Alexander are among the many officials urging Congress to act before a major attack not only wreaks havoc, but leads policymakers to overreact.

“I’m afraid we’ll argue about this until something bad happens. And when something bad happens, we’ll jump way over here, where we don’t want to be,” Alexander said in a rare public appearance in July. “Let’s do it now. Let’s get it right.”

Businesses are asking for legal protections and incentives to help them better secure private networks, which make up the majority of systems in the United States. The White House, however, says voluntary standards are not enough and advocates for more authority to enforce security guidelines for the most vulnerable networks.

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download

When you download a report, your information may be shared with the underwriters of that document.