On August 2, Congress did it again. They acknowledged the looming threat of cyberwarfare while discussing the Cybersecurity Act of 2012, and then they "kicked the can down the road." It's what they do best. The "Party of No" hurt us all on a critically necessary piece of cyber-security legislation, and continued the U.S. Senate's proud tradition of failing to do anything to deal with our absolute vulnerability to an attack by state-sponsored hackers and terrorists on our critical infrastructure.
The Obama administration called the result "a profound disappointment." That is a bloody understatement.
We no longer have Cold War problems. It's hackers, working either for rogue states or terrorist organizations. At some point, they will disrupt not just our military's computers, which will be bad enough, but also the computers upon which all Americans depend: computers that run our nuclear power plants and electricity grid; computers that deliver our drinking water; computers that manage our hospitals, banks, and every corporation large and small. They will use our own machines against us, but as of yet we have no John Connor.
"(T)he Pentagon has formally recognized cyberspace as a new domain in warfare . . . [which] has become just as critical to military operations as land, sea, air, and space," William J. Lynn III, the deputy secretary of defense, wrote in a 2010 article for Foreign Affairs magazine.
What's particularly troubling, experts warn, is the degree to which America's critical computer infrastructure is decentralized, privatized, unprotected, and vulnerable to attack. It was precisely this problem that the cybersecurity bill was intended solve.
Knocking out even 10 percent of the computers used to control the complicated network of water reservoirs and pipelines that crisscross the Western states would have an immediate, severe impact in giant metropolises including Phoenix, Las Vegas and Los Angeles. Private utility companies like First Energy -- which caused the 2003 East Coast blackout, and which came within 60 days of incinerating a large swath of Michigan, Ohio and Pennsylvania in 2002 by allowing acid to eat a football-sized hole in a nuclear reactor lid at its Davis-Besse power plant -- face only limited requirements to safeguard their critical computer systems. If this is how major utilities handle basic infrastructure such as power transmission lines and nuclear reactors, just think what unseen dangers lurk in their disparate computer systems.
"The alarm bells sound regularly: cybergeddon; the next Pearl Harbor; one of the greatest existential threats facing the United States," Preet Bharara, U.S. attorney for the Southern District of New York, wrote in a recent op-ed in The New York Times. "With increasing frequency, these are the grave terms officials invoke about the menace of cybercrime -- and they're not understating the threat."
Both parties in Congress agree that the question is not whether this next war will start. It's when. Yet members of both parties once again blew their best chance to get America ready. Senator Joseph Lieberman, the Independent from Connecticut, literally spent years nursing a cybersecurity bill through Congress. As originally conceived, the bill would have created security standards for computers that run the nation's critical infrastructure including transportation, water systems and the electrical grid. In addition, it gave the federal government the power to make sure those standards were met.
Lieberman's first attempt was clearly far from perfect. As my colleague Eduard Goodman, chief privacy officer of Identity Theft 911, sees it, the original bill contained some serious threats to the privacy of American citizens. Particularly troubling were provisions that could have required phone companies and Internet service providers to spy on their customers, and turn over anything that looked suspicious to government surveillance agencies.
According to Goodman, "Companies would potentially be reporting individual citizens to law enforcement without any of the checks and balances we have for traditional surveillance, though in truth, to some degree this already been happening for years."
That dog don't hunt. Our Founding Fathers fought and died to preserve and protect our freedom and liberty. Sacrificing freedom in the name of protecting it (sorry, Sheriff Joe) is akin to destroying the village to save it.
That problem could have been resolved, however, by the deliberative process for which Congress was created, but some of our esteemed lawmakers had no desire to make the legislation better. They simply wanted to kill it, but for all the wrong reasons. Conservatives and their financial backers in the Chamber of Commerce didn't even mention the cybersecurity bill's looming privacy threats. Rather, they focused on trumped-up allegations that the bill would be a burden to American corporations.
"The chamber believes [the bill] could actually impede U.S. cyber security by shifting businesses' resources away from implementing robust and effective security measures and toward meeting government mandates," Bruce Josten, chief lobbyist for the chamber, wrote in a letter to senators.
Shifting resources... Are you kidding me? U.S. Attorney Bharara has remarked on several occasions that he was approached by a board member of a major U.S. Corporation who remarked that cyber security wasn't even mentioned at meetings. Josten's argument is utterly bogus. As Joel Brenner, former counsel for the National Security Agency, repeatedly points out, American corporations' current computer safeguards present a "'glass house,' all but transparent to our adversaries."
But the opponents of the bill weren't interested in having that inconvenient truth aired. So they deployed their full arsenal of parliamentary tricks to kill the bill. They loaded it down with more than 70 amendments, most of which were highly controversial and had nothing to do with the legislation at hand, including provisions on gun control (don't get me started) and abortion. This is like the Grasshopper and the Ants parable, but a thousand times worse. While corporate America tries to keep things as Wild West as possible while they loot the American Dream, they seemingly have no regard for the future. But winter is coming.
"We all recognize the problem, that's really not the issue here," Mitch McConnell (R - Kentucky), the Senate Minority Leader, said from the Senate floor. "It's the matter that the majority leader has tried to steamroll a bill."
This bill is no more a steamroller than a cat on a tricycle. It was many years in the making -- there was nothing fast about it. Was it one of the Senate Democrats' finest moments? Not quite. In an effort to woo sufficient members of McConnell's rabid right wing to win the supermajority needed to overcome the filibuster, Democrats simply, profoundly caved. They offered to make the bill's vital security safeguards optional, which in the context of the coming cyberwar is like telling members of the Massachusetts Militia that the Minutemen can show up whenever it's convenient.
The problem, as most people who are paying attention know, is that our current collection of uneven, random and deficient computer security protocols will fail precisely because they are optional. The Democrats' last-ditch efforts to save the bill by gutting it might have created some small boost in their efforts to look tough on security issues before the election this fall, but the resulting law would have done little to better protect the American people. In the end we are probably lucky that it failed, having avoided being lulled into a false sense of security.
So what happens next? The Obama administration has some power to require that executive agencies write and enforce a number of the security rules included in Lieberman's original cybersecurity bill. The administration has hinted that it might use that power, and I hope that it does, despite well-rehearsed and inevitable howls of faux outrage that the President is sidestepping the will of Congress. After all, when the Congress has demonstrated that its will is to leave America's critical infrastructure flapping in the breeze, the President's only choice is to act as Commander in Chief to a threat to the nation.
But any moves by the executive branch can only be piecemeal. The White House needs the blessing of Congress before it can require agencies and private companies to share information on threats. That kind of collaboration was exactly what was missing in the years before Sept. 11, and it appears America's military and intelligence agencies learned that lesson well.
Apparently, the politicians in Congress have not. Through their election-year cowardice, both Democrats and Republicans have colluded to let terrorists and enemy states create a new "Day of Infamy." Therefore, let's make November 6, 2012, Election Day, their day of reckoning.
This article originally appeared on Credit.com. Follow them on Twitter.
Follow Adam Levin on Twitter: www.twitter.com/Adam_K_Levin
Against a cyber threat, you are not defending against a natural phenomena, you are in a fight, defending against a highly agile threat that changes continually. For example, a huge number of VPN's that literally one month ago were industry standards and best practices for encryption and security are now completely broken. When regulators try to impose best practices, inevitably measures that seem like a good idea now will be codified, and next year, it won't make any sense, might even make security worse, but everyone will still be spending time and money meeting regulations. Maybe they otherwise would have spent that time & money doing security better, or maybe they wouldn't, but the cybersecurity act would definitely have increased costs, added bureaucracy, and slowed the pace of innovations.
Because the consequences don't fall on the corporations or the government. They fall on us - the meat-puppets of this capitalistic rush.
Make the corporations REALLY responsible for handling this information, with real consequences. Such as denial of access to the credit card networks. Make the credit card networks REALLY responsible for handing this data by making them LIABLE to DEFAMATION for incorrect data in their system - and take away the special laws passed in the '90s that make credit card debt so much harder to discharge with bankruptcy. (That damm debt is UNSECURED.)
This ISN'T cyber-security. It's business security. It's being HELD RESPONSIBLE for your own screwups.
But then we have the example of Wall Street these days - and we know how important RESPONSIBILITY is.
I would like to point out that Mr. Levin conflates cybercrime and cyberwarfare. The former is mostly about stealing credit card numbers and personal identification information. The latter is about an enemy shutting down a nation's computer controlled infrastructure, especially military systems.
The simplest solution to the problem of protecting critical infrastructure control systems from hacking is to take them off the public internet. Most of these systems should not have been connected to the internet in the first place. Just because you can doesn't mean you should.
It was the Pentagon (or some intelligence agency cabal) which first truly weaponized cyberspace via stuxnet. What is really under discussion is when the US will suffer the blowback, and how much in military industrial complex profits can be realized in the meantime on this basis. I mean, if you wanted to tell the truth.
Meanwhile imo, Mr. Credit.com knows full well that the credit card and monitoring industry was the original, large scale identity thief. They own your identity and financial life at least as much as you do, and if you don't make regular use of their products they will on that basis alone be able to worsen your financial situation. The ultimate scam, imo.
Levin doesn't seem like the brightest porch bulb on the block. Why would a rogue state honor US laws? Does he think that will stop them? Makes me wonder about people like him.
Why don't you?