White House urges national standards for cyber security
After years of warnings that the U.S. is vulnerable to a cyber attack that could blow up city blocks, erase bank data and fry power grids, the White House said it would call on industry to set standards for securing computer networks that run the nation’s critical infrastructure.
The proposal also offers states and operators of power plants, electrical grids and other critical infrastructures help from the Department of Homeland Security in building better defenses and fixing damage from cyber attacks.
Although U.S. spy agencies and the Pentagon have spent billions of dollars guarding their networks against cyber attacks, 90% of critical infrastructure is in private hands. Homeland Security now will work with those operators in a public-private partnership to protect their systems, officials said.
The White House proposal, coming two years after President Obama declared the cyber threat “one of the most serious economic and national security challenges we face as a nation,” drew lukewarm praise Thursday from congressional Democrats and blistering criticism from some security experts.
“I’d call this weak tea, except I’m not sure the tea bag actually touched the water,” said Stewart Baker, a lawyer who previously held top jobs in Homeland Security and the National Security Agency, which monitors computer intrusions from abroad.
Alan Paller, research director at the SANS Institute, a Bethesda, Md., cyber-security information and education group, said the proposal would amount to a significant improvement and a good catalyst for further steps.
“I’m usually the one that’s taking shots at the government, saying they can do more in cyber-security,” Paller said. “But this bill fundamentally changes the way federal agencies secure their systems. The White House has put forward a plan that’s feasible in a split Congress.”
The Obama proposal would join some 50 bills addressing computer network security pending in Congress.
Rep. James Langevin (D-R.I.), an intelligence committee member who has taken a lead role in cyber-policy, praised parts of the proposal but said it “still leaves some areas of concern.”
For example, he said, no single official is in charge of U.S. cyber defenses, and the proposal would not address concerns about the military’s dual role as defender and potential perpetrator of computer attacks.
Experts have been gaming attack scenarios that seriously damage U.S. infrastructure and markets, including cyber assaults that cause trains to crash in tunnels and gas pipelines and power generators to explode.
Stuxnet, the Internet worm believed to have destroyed some of Iran’s nuclear centrifuges last year, was a cyber attack that experts believe was unleashed by the U.S. or Israel. Iran has threatened retaliation.
“And you know what? We can’t stop them with our standards, period,” said Joseph Weiss, an expert on industrial control systems that run power plants and electric grids that are vulnerable to attack.
Al Qaeda doesn’t yet have the capability to mount such attacks, but China and Russia do, as do criminal groups that could sell their services to the highest bidder, experts said.
Cyber attacks also have been used for crime and espionage. Foreign governments and criminal networks are stealing intellectual property by the terabyte, experts said, and Obama put the annual loss to digital theft at $1 trillion.
Many basic steps that could defend against cyber attacks are not being taken because no regulation requires it and it’s in no one’s financial interest to do so, analysts said. “Industry doesn’t want anything that isn’t a very, very low bar or that requires them to spend a whole lot of money to do much,” Weiss said.
The administration’s proposal tries to address that problem on a number of fronts. It requires Homeland Security to work with industry to identify critical infrastructure operators and to “prioritize the most important cyber threats and vulnerabilities for those operators,” according to a White House fact sheet.
Companies and utilities “would develop their own methods for addressing cyber threats. Then, commercial auditors would assess each operator’s cyber-security risk mitigation plans,” the fact sheet states.
Public companies would have to certify to the Securities and Exchange Commission that their plans are sufficient, and a summary of the plan would be publicly accessible, to allow the market to determine whether the plan passes muster.
But the proposal does not expand the president’s authority to take over segments of U.S. networks in the event of a cyber attack against critical infrastructure.
This so-called Internet kill switch isn’t needed, officials said: the president has such power under the 1934 Communications Act, Paller said.
Senate Democrats have expressed interest in passing a cyber bill, but it’s not clear whether the Republican-controlled House will follow suit.
One thing is clear: With attacks against federal government computers increasing more than 650% since 2006, federal spending on cyber security is expected to grow 9.1% annually to $13.3 billion over the next four years, according to Input, a Reston, Va., government contracting research firm.
