April 9, 2013

Protecting against cyber-attacks

Last year, Congress failed to forge a workable framework for cybersecurity to protect the United States against a fast-growing national security and economic threat. Our cyber-networks remain dangerously vulnerable to outside attack and are the repeated targets of foreign governments intent on stealing the fruits of our intellectual and business efforts. Congress must address this crucial issue.

The threat to our critical infrastructure, national security and economic prosperity was laid out in a February report by Mandiant, a respected U.S. computer security firm. An elite unit of Chinese hackers affiliated with China’s People Liberation Army, the report concluded, is likely behind a wave of attacks on U.S. government and business computer systems.

Since 2006, according to the report, the Chinese unit has stolen data – including blueprints, test results, business plans and emails – from at least 115 U.S. companies across a wide spectrum of major industries.

Almost every facet of American life is threatened when intruders exploit our cyber-vulnerabilities. And the risk is not from China alone. Foreign governments like Iran and terrorist organizations such as al Qaeda seek to worm into critical national infrastructure and threaten catastrophe here at home. Foreign agents raid our companies, stealing plans, formulas and designs. Foreign criminal networks take money out of our banks, defraud consumers with scams and sell illicit goods and products, cheating U.S. manufacturers. It may be the greatest illicit transfer of wealth in human history.

If you’re a business owner, listen to our top cyber-experts, who say there are only two kinds of businesses: those that have been hacked, and those that don’t know they’ve been hacked. If you’re a consumer, know there’s a third group: those who know they’ve been hacked and won’t admit it.

Following Congress’ failure to act, President Barack Obama has issued an executive order to address some of our nation’s vulnerabilities. But an executive order can’t accomplish everything that needs to be done.

We both worked hard last year to forge a bipartisan legislative compromise, and still believe it can be reached. To get this right, a bipartisan solution must include the following elements:

First, there must be far more disclosure of cyber-threats. Americans should not be in the dark about the risks we face. The government should do more public reporting, and companies should be candid with shareholders and customers about the problems.

Second, companies that operate critical U.S. infrastructure should meet some basic standard to protect their customers and our way of life. We have discussed ways for government to work with industry to set these standards while allowing private-sector initiative to determine the specific manner of companies’ compliance. The model may work for other sectors, as a more nimble, smarter alternative to overly prescriptive administrative regulation.

Third, government agencies and private industries, particularly the communications companies that run the Web’s infrastructure, need to share more information about the threats they see on their networks. This will require removing existing legal barriers – while protecting classified information and privacy.

Fourth, prosecutors should have the resources to pursue international cyber-criminals. These cases are technically and legally complex; involve difficult intelligence and diplomatic and foreign law challenges, and require massive forensic capability. Rather than complain about cyber-robbers overseas, we’d like to see them indicted and prosecuted.

Fifth, we need to make sure that training is available to bring Americans into the cybersecurity field, and maintain our technical leadership in this crucial area. Cyber-danger is not going away. More and more of our business and personal lives will take place in cyberspace. Cyber-threats will expand and evolve. America must be prepared.

In all this, we must safeguard the privacy of U.S. citizens. We can keep the United States secure without infringing dearly held liberties. Well-crafted legislation can achieve this.

We must do this, because we never want to see a nightmare scenario become reality.

Imagine waking up one morning to find the power out at home, and no signal on the phone or computer to tell you what’s going on. You drive into town and find dozens of people in front of the banks, wondering why the ATMs aren’t working. There are lines at gas stations and supermarkets because businesses can’t process sales on credit or debit cards.

The failures all around you – no heat or air conditioning, no banking, no Internet or phone, and cash-only sales in the stores that are open – have no end in sight. There may even be smoke on the horizon from a plant on the outskirts of town, aflame because of compromised equipment.

A cyber-attack could cause all this. We need to work together to ensure America never has to face that day.

By: Sens. Sheldon Whitehouse and Lindsey Graham