Bigger US role against companies’ cyberthreats?

LOLITA C. BALDOR

Asso­ci­ated Press

WASHINGTON — A devel­op­ing Sen­ate plan that would bol­ster the government’s abil­ity to reg­u­late the com­puter secu­rity of com­pa­nies that run crit­i­cal indus­tries is draw­ing strong oppo­si­tion from busi­nesses that say it goes too far and secu­rity experts who believe it should have even more teeth.

Leg­is­la­tion set to come out in the days ahead is intended to ensure that com­puter sys­tems run­ning power plants and other essen­tial parts of the country’s infra­struc­ture are pro­tected from hack­ers, ter­ror­ists or other crim­i­nals. The Depart­ment of Home­land Secu­rity, with input from busi­nesses, would select which com­pa­nies to reg­u­late; the agency would have the power to require bet­ter com­puter secu­rity, accord­ing to offi­cials who described the bill. They spoke on con­di­tion of anonymity because law­mak­ers have not final­ized all the details.

Those are the most con­tentious parts of leg­is­la­tion designed to boost cyber­se­cu­rity against the con­stant attacks that tar­get U.S. gov­ern­ment, cor­po­rate and per­sonal com­puter net­works and accounts. Author­i­ties are increas­ingly wor­ried that cyber­crim­i­nals are try­ing to take over sys­tems that con­trol the inner work­ings of water, elec­tri­cal, nuclear or other power plants.

That was the case with the Stuxnet com­puter worm, which tar­geted Iran’s nuclear pro­gram in 2010, infect­ing lap­tops at the Bushehr nuclear power plant.

As much as 85 per­cent of America’s crit­i­cal infra­struc­ture is owned and oper­ated by pri­vate companies

The emerg­ing pro­posal isn’t sit­ting well with those who believe it gives Home­land Secu­rity too much power and those who think it’s too watered down to achieve real secu­rity improvements.

One issue under debate is how the bill nar­rowly lim­its the indus­tries that would be sub­ject to regulation.

Sum­maries of the bill refer to com­pa­nies with sys­tems “whose dis­rup­tion could result in the inter­rup­tion of life-sustaining ser­vices, cat­a­strophic eco­nomic dam­age or severe degra­da­tion of national secu­rity capabilities.”

Crit­ics sug­gest that such lim­its may make it too dif­fi­cult for the gov­ern­ment to reg­u­late those who need it.

There are sharp dis­agree­ments over whether Home­land Secu­rity is the right depart­ment to enforce the rules and whether it can han­dle the new respon­si­bil­i­ties. U.S. offi­cials famil­iar with the debate said the depart­ment would move grad­u­ally, tak­ing on higher pri­or­ity indus­tries first.

“The debate tak­ing place in Con­gress is not whether the gov­ern­ment should pro­tect the Amer­i­can peo­ple from cat­a­strophic harms caused by cyber­at­tacks on crit­i­cal infra­struc­ture, but which entity can do that most effec­tively,” said Jacob Olcott, a senior cyber­se­cu­rity expert at Good Har­bor Consulting.

Under the leg­is­la­tion, Home­land Secu­rity would not reg­u­late indus­tries that are under the author­ity of an agency, such as the Nuclear Reg­u­la­tory Com­mis­sion, with juris­dic­tion already over cyber issues.

“Where the mar­ket has worked, and sys­tems are appro­pri­ately secure, we don’t inter­fere,” said inde­pen­dent Sen. Joe Lieber­man, chair­man of the Sen­ate Home­land Secu­rity and Gov­ern­men­tal Affairs Com­mit­tee. “But where the mar­ket has failed, and crit­i­cal sys­tems are inse­cure, the gov­ern­ment has a respon­si­bil­ity to step in.”

The bill, writ­ten largely by the Sen­ate Com­merce, Sci­ence and Trans­porta­tion Com­mit­tee and the Sen­ate home­land secu­rity panel, is also notable for what it does not include: a pro­vi­sion that would give the pres­i­dent author­ity to shut down Inter­net traf­fic to com­pro­mised Web sites dur­ing a national emer­gency. This “‘kill switch” idea was dis­cussed in early drafts, but drew out­rage from cor­po­rate lead­ers, pri­vacy advo­cates and Inter­net purists who believe cyber­space should remain an untouched dig­i­tal universe.

While the Sen­ate is pulling together one major piece of cyber­se­cu­rity leg­is­la­tion, the House of Rep­re­sen­ta­tives has sev­eral bills that deal with var­i­ous aspects of the issue.

A bill from a House Home­land Secu­rity sub­com­mit­tee doesn’t go as far as the Senate’s in set­ting the government’s role. Still, it would require DHS to develop cyber­se­cu­rity stan­dards and work with indus­try to meet them.

“We know vol­un­tary guide­lines sim­ply have not worked,” said Rep. Jim Langevin, a Demo­c­rat. “For the indus­tries upon which we most rely, gov­ern­ment has a role to work with the pri­vate sec­tor on set­ting secu­rity guide­lines and ensur­ing they are followed.”

Stew­art Baker, a for­mer assis­tant sec­re­tary at Home­land Secu­rity, said the gov­ern­ment must get involved to force com­pa­nies to take cyber­se­cu­rity more seriously.

Con­cerns about fed­eral involve­ment, he said, belie the fact that com­puter breaches over the past sev­eral years make it clear that hack­ers and other gov­ern­ments, such as China and Rus­sia, are already inside many indus­try networks.

“They already have gov­ern­ments in their busi­ness, just not the U.S.,” said Baker. “For them to say they don’t want this sug­gests they don’t really under­stand how bad this prob­lem is.”

Indus­try groups have lob­bied against the Sen­ate bill’s reg­u­la­tory pow­ers and say new man­dates will drive up costs with­out increas­ing security.

They say busi­nesses are try­ing to secure their net­works and need legal pro­tec­tions built into the law so they can share infor­ma­tion with author­i­ties with­out risk­ing antitrust or pri­vacy violations.

In a let­ter to law­mak­ers this past week, the U.S. Cham­ber of Com­merce said any addi­tional reg­u­la­tions would be coun­ter­pro­duc­tive and force busi­nesses to shift their focus from secu­rity to compliance.

Liesyl Franz, a vice pres­i­dent at TechAmer­ica, which rep­re­sents about 1,200 com­pa­nies, said busi­nesses would pre­fer to work with the gov­ern­ment to enhance secu­rity rather than face more reg­u­la­tions. She said com­pa­nies cop­ing with the poten­tial secu­rity risks, mar­ket con­se­quences, and dam­age to cor­po­rate rep­u­ta­tions, are defend­ing against cyberthreats.

Senior national secu­rity offi­cials were on Capi­tol Hill last week to talk to sen­a­tors about the grow­ing cyber­se­cu­rity threat. After the meet­ing, Repub­li­can Sen. Susan Collins said she’s always had a sense of urgency about it, adding, “I hope the brief­ing gives that same sense of urgency to mem­bers to put aside turf battles.”

She said sen­a­tors are review­ing con­cerns raised by the Cham­ber of Com­merce about the bill.

Posted by AP News on Feb 5 2012. You can follow any responses to this entry through the RSS Feed. Comments can be made below.