Holes in U.S. cyber security

Speaking to a group of U.S. business leaders last week, Defense Secretary Leon E. Panetta issued a dire warning that foreign hackers are becoming increasingly sophisticated and that their online attacks on transportation systems, banks and other vital facilities are escalating. The worst-case scenario, he said, is a “cyber Pearl Harbor” perpetrated by state-sponsored hackers or terrorists that “would cause physical destruction and loss of life, paralyze and shock the nation and create a profound new sense of vulnerability.”

Panetta wasn’t lobbying for more defense spending or expanded powers to respond to threats. Instead, he was trying to break a vexing logjam in Congress over legislation to beef up cyber security in the private sector. In particular, business groups have resisted a Senate proposal that would give the private operators of critical infrastructure — water plants, electrical grids and the like — an incentive to meet new cyber-security goals.

That measure, S 3414, was blocked in August by a Republican filibuster after the U.S. Chamber of Commerce declared its unstinting opposition. The measure would allow the government and businesses to share more information about cyber attacks and potential defenses, which the chamber supports. But it would also call for the private sector to develop voluntary “best practices” for protecting critical infrastructure, which the chamber argues would become mandatory, burdensome and insufficiently responsive to the dynamic nature of the threat.

The chamber’s opposition didn’t square with the actual provisions of the bill, which addressed most of its stated concerns. The best practices it promoted would have set security goals, but businesses would have decided what techniques to use to meet them. Any business that complied with these practices would have been immune to punitive damages if customers sued them in the event of a successful cyber attack, which is a sensible incentive to participate.

Business groups are backing a bipartisan House bill that deals only with information-sharing among companies and the federal government, not the vulnerability of critical infrastructure, which is at least as large a problem. Panetta’s speech makes it clear that the private sector isn’t doing enough to gird itself against the threats it faces, and that the potential consequences could be devastating. Senate Majority Leader Harry Reid (D-Nev.) has pledged to take up the cyber-security bill again in November, after the election, and lawmakers should enact a bill along the lines of S 3414. Failing that, President Obama should issue an executive order to promote voluntary cyber-security standards and information-sharing within the limits of current law. That’s not the ideal approach, but it’s a start.