9/11 haunts debate over cybersecurity

More than a decade after the Sept. 11, 2001, terrorist attacks, the tragedy haunts Washington policymakers who are deadlocked over how to protect the country against cyberattacks.

Current and former government officials have spent months pointing to 9/11 as a harbinger of what could occur if Congress, federal agencies, and businesses don’t act to update policies that govern how cyberthreat information is shared; how threats are monitored; and what standards should guide national cybersecurity.

“We’ve got an opportunity to do what we didn’t do before 9/11. We’ve got an opportunity to fix this problem before we’re attacked,” Senate Homeland Security and Governmental Affairs Chairman Joe Lieberman, ID-Conn., told National Journal in an interview earlier this year. “I hope and pray that we deal with it, and we don’t run around frantically after an attack to close loopholes we can close now.”

Lieberman was the lead sponsor of the Cybersecurity Act of 2012, which failed to advance before Congress recessed in August. Republicans, backed by business groups such as the U.S. Chamber of Commerce, say the bill could lead to burdensome government regulations that could never keep up with ever-changing cyberthreats.

FBI Director Robert Mueller has said he thinks the danger of damage to U.S. computer networks—including those that control vital systems such as power grids and nuclear plants—is well on its way to overtaking terrorism as the top threat to the United States.

President Obama is considering a number of ideas for a draft executive order that could be used to enact some reforms if Congress fails to act on cybersecurity, but no decision has been made. Even if Obama moves forward, he’s limited in the steps he can take and Congress will continue to face pressure.

Throughout it all, 9/11 has cast its shadow as lawmakers and government officials seek to inoculate themselves against blame should a catastrophic attack happen.

“We carry the burden of knowing that 9/11 might have been averted with the intelligence that existed at the time,” a group of former officials wrote in a letter to Congress this summer. “We do not want to be in the same position again when ‘cyber 9/11’ hits—it is not a question of whether this will happen; it is a question of ‘when,’ ” said the letter. Among its signatories was Michael Chertoff, who headed the Homeland Security Department under President George W. Bush.

Senate Commerce Chairman Jay Rockefeller, D-W.Va., another of the cybersecurity bill’s sponsors, recalled the 9/11 warning signs that were missed in 2000 and 2001 when discussing the issue during this summer’s debate.

“Our intelligence and national-security leadership took these matters seriously, but not seriously enough,” he said. “Then it was too late: 9/11 happened.”

Although the terrorist attacks have been used as an example of why the United States needs to be proactive in confronting cyberthreats, the civil-liberties legacy of government action taken in their wake is complicating the debate. Privacy groups, for example, have warned that cybersecurity could be used as an excuse to extend government surveillance powers. A House bill aimed at encouraging cybersecurity information-sharing between businesses and government passed the House in April but was roundly criticized as providing a backdoor opportunity for officials to monitor private communications.

Some doubt whether a cyberattack could cause the same loss of life and physical destruction that occurred on 9/11. So far, there have been no examples of major physical damage or deaths related to online-based attacks.

Howard Schmidt, who stepped down as the White House’s top cybersecurity official earlier this year, has long been an advocate of toning down the rhetoric over cybersecurity. And Gen. Keith Alexander, who heads the National Security Agency and U.S. Cyber Command, says that al-Qaida has yet to achieve the capabilities to launch a major cyberattack on the United States.

Nevertheless, both Schmidt and Alexander are among the many officials urging Congress to act before a major attack not only wreaks havoc, but leads policymakers to overreact.

“I’m afraid we’ll argue about this until something bad happens. And when something bad happens, we’ll jump way over here, where we don’t want to be,” Alexander said in a rare public appearance in July. “Let’s do it now. Let’s get it right.”

Businesses are asking for legal protections and incentives to help them better secure private networks, which make up the majority of systems in the United States. The White House, however, says voluntary standards are not enough and advocates for more authority to enforce security guidelines for the most vulnerable networks.