Amid a barrage of vague and ineffective cybersecurity legislation, the United States Congress has failed to formulate a feasible plan to protect the nation from cyber-attack. Wearied by bills such as SOPA, PIPA and CISPA that have been widely opposed due to their nebulous and restrictive provisions, the nation seems skeptical of another cybersecurity bill. But in the midst of controversial concerns about privacy and piracy, there remains an imminent threat of cyber-attack that must be addressed with effective and pointed legislation. In a country where essential components of infrastructure, such as power grids and nuclear plants, are vulnerable to cyber-attack, cybersecurity is not only an issue of financial interest to private sector companies, but an issue of national security.
The Imminent Threat
Perhaps the most striking example of effective cyber-attack is Operation Olympic Games. Started under the Bush administration and expanded under President Obama, Operation Olympic Games employed increasingly complicated attacks against the computers operating Iranian nuclear facilities. This program was the purported root of the famous Stuxnet virus that ravaged almost a fifth of all Iranian centrifuges, setting them back up to two years, according to Obama administration estimates.
Operation Olympic Games marked the commencement of a perilous age of cyber-warfare; the United States instigated a war that will certainly have destructive consequences. The worm that attacked the Natanz plant in Iran suffered a programming error that allowed it to escape from the Iranian facility's network and spread through the Internet, free to be examined by security experts and free to be replicated or imitated by potential hackers.
In 2011, Iran declared plans to build its own military unit focusing on cyber warfare. Armed with the leaked Natanz plant worm and unencumbered by political ties in its potential aim to exact retribution for the Stuxnet attack, Iran remains a likely source of cyber-attack on the United States. Leading cybersecurity analysts have already linked Iran to the Shamoon virus that attacked Persian Gulf oil companies.
"This routine replaced crucial system files with an image of a burning U.S. flag. It also put additional 'garbage' data that overwrote all the real data on the machine. The more than 30,000 computers it infected were rendered useless, and had to be replaced," Defense Secretary Panetta said of the Shamoon virus.
But Iran is not the only threat to America in the cyber-world. Cyber-attack can originate from a number of sources, from hostile countries, to advanced terrorist groups, to criminal "hacktivist" organizations -- just earlier this year, hacktivist group Anonymous claimed responsibility for attacks on the FBI and Department of Justice websites.
The threat of cyber-attack is particularly vast due to widespread access to computers and the Internet. Strong legislation can attain some measure of success preventing the transport of arms and explosives into the country, and effective intelligence can identify and neutralize known human terrorist threats. The anonymous nature of the Internet, however, provides a fertile ground for organized cyber-attack, making the passage of effective legislation vital to American security.
The Dead Legislation
About a month ago, the United States Senate killed the Lieberman-Collins Cybersecurity Act of 2012 (S. 3414), a measure backed by President Obama. "Cybersecurity is dead for this congress" said Senate Majority leader Harry Reid.
The Cybersecurity Act of 2012, introduced by Independent Joe Lieberman and Republican Susan Collins, sought to facilitate information sharing between companies that operated infrastructure in the United States, and set voluntary security standards.
Senator Reid encouraged a vote on the legislation before Thanksgiving, saying, "The president of the United States believes the cybersecurity bill is one of the most important things facing this country now -- not the next Congress, now."
The legislation has been passed from committee to committee throughout the year, and several revisions have been made, softening the provisions of the bill. The cybersecurity standards, which were mandatory in previous bills, were made voluntary in the final version of the act. The act included provisions that enjoyed widespread bipartisan support, such as the facilitation of information-sharing between the government and private entities about security threats. Despite these appealing bipartisan measures, however, the Senate killed the legislation 51-47, failing to garner the 60 votes needed.
Senate Republicans generally opposed the bill, citing the increased government regulation of business as an undesirable consequence. As Chamber of Commerce Executive Vice President for Government Affairs R. Bruce Josten wrote, "There is a healthy and robust disagreement about the proper role of government in regulating the business community given the incredibly dynamic nature of cybersecurity risks, that is far from resolved."
A Plan for the Future?
Under a congress regarded "obstructionist" by many, and dysfunctional by most, the American people have gradually become accustomed to "healthy and robust disagreement" that leads to profound inaction. In the area of cybersecurity, however, every year that the government fails to enact meaningful legislation gives more time for potential threats to develop increasingly sophisticated malware.
White House officials have indicated that the Obama administration is considering the enactment of an executive order to augment cybersecurity if Congress fails to act. The effect of such an order depends on its specific provisions and the language it uses. The denizens of the Internet are rightfully unwilling to compromise their free speech, and thus all effective cybersecurity legislation must employ specific language. All loopholes in the legislation must be considered to ensure that it will not interfere with the life of average Internet users.
Legislation enacted for national security has a particular tendency to cross accepted boundaries, as witnessed in the years following 9/11, when the bills such as the PATRIOT act were allowed to pass without critical oversight. Ben Franklin rightly stated, "They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." However, intelligent legislation removes the need for a tradeoff between liberty and safety; there is no reason why America cannot have both.
Useful legislation will require an immense amount of thought and effort, and so it is imperative that cybersecurity is placed at the forefront of American politics. An attack on American infrastructure could devastate the nation to a degree that may render traditional terrorism and warfare obsolete. It is time for America to come to terms with the realities of the risks it faces while simultaneously protecting itself from overreaching regulation.