Congress Considers Government Role in Securing Critical Infrastructure

In one of the several congressional hearings on cyber-security, lawmakers discussed data breach notification laws and how to protect critical infrastructure.

Security experts and public officials testified at a congressional subcommittee hearing about the role the federal government should play in defending cyberspace and protecting critical infrastructure from attackers.

There are more kinds of malware and online threats, and cyber-criminals are becoming more sophisticated, industry experts told congressional lawmakers at the May 25 hearing by the House Oversight and Government Reform Committee's National Security, Homeland Defense and Foreign Operations Subcommittee. While cyber-security should be a high priority for the government, the industry should be responsible for securing itself.

"Cyber-crime is an ever-evolving threat, and there is no single solution to prevent attacks," Dean Turner, director of Symantec's Global Intelligence Network, testified at the hearing. "Bad actors are getting smarter and more resourceful every day, and we must continue to be vigilant to protect our economy, our national security and our way of life."

The individuals and organizations have a "wide variety of motivations and intended consequences," and can include hackers, cyber-criminals, cyber-spies and hacktivists, according to Turner.

There was no need for government-imposed regulation on cyber-security, according to Phillip Bond, CEO and president of industry organization TechAmerica. The first rule is that "Congress should do no harm," Bond said at the hearing. Instead of coming out with a list of rules, Congress should focus on a system of incentives and liability protections for companies.

The White House cyber-security proposal currently suggests publicly disclosing the security level of companies that operate critical infrastructure, such as smart grids, telecommunications infrastructure and gas lines. Several lawmakers have criticized this approach as "name and shame," and argued that the information would provide cyber-criminals with a list of vulnerable infrastructure to target. An incentive program would go further in encouraging companies to improve their security, Bond said.

It makes sense to allow the private sector to take the lead in protecting infrastructure, considering that the private sector operates more than 75 percent of what is considered cyberspace, Philip Reitlinger, deputy undersecretary of the National Protection and Programs Directorate at the Department of Homeland Security, said at a different hearing.

DHS officials appeared fine with their current role in securing critical infrastructure. The federal government should be a facilitator working with the private sector, according to Sean McGurk, director of the control systems security program in the Department of Homeland Security's National Cyber Security Division. DHS performs voluntary security assessments for companies that request them, McGurk told the subcommittee.

However, DHS needs more authority over critical infrastructure and be able to "mandate" risk-based performance, according to James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies.

Even while encouraging the government to take a hands-off approach to cyber-security, the industry would welcome new regulations addressing data breach reporting, according to Bond. Currently, organizations have to deal with a patchwork of 47 state laws with differing requirements and language for notifying consumers when sensitive personal information has been stolen or exposed. The White House cyber-security proposal calls for a federal data breach notification law to override the state laws.

Lewis also noted that the term "attack" is too broad and not helpful when discussing cyber-security. "We tend to call everything bad that happens in cyberspace an attack," Lewis said. If there is no damage, death or destruction, it should not be called an attack, but rather "crime or espionage," according to Lewis. Under his definition, there are only three cyber-incidents that qualify as an attack-Stuxnet, the blackout in Brazil and the inference with air defenses by the Israelis in a raid on a Syrian nuclear facility.

Attackers have "no boundaries" when it comes to victims, Turner said. Corporate enterprises are often targeted to steal customer data and intellectual property, and small businesses are vulnerable to having money stolen out of bank accounts. The malicious activities impact end users as they have to deal with identity theft and credit card scams. Governments are victims of "cyber-sabotage, cyber-espionage and hacktivism," Turner said.

McGurk said the DHS does not distinguish between attacks from nation states and those conducted by criminals and other organizations. The focus should be on identifying and mitigating risk, McGurk said. Identifying the responsible parties is difficult and unnecessary. "The source isn't important," McGurk said.

There've been several congressional hearings on cyber-security this week. The Senate Homeland Security Committee discussed the White House cyber-security proposal on May 23. The House Judiciary Subcommittee on Intellectual Property, Competition and the Internet also discussed the proposal on May 25.

The full House Oversight and Government Reform Committee will hold a hearing June 1 to discuss the full cyber-security proposal from the White House.