Consider what Hurricane Katrina did to New Orleans, and you get an idea of the consequences of a cyberattack on critical U.S. infrastructure: No electricity. No water. No transportation. Terrorists or enemy adversaries with computer skills could conceivably take down a power grid, a nuclear station, a water treatment center or a chemical manufacturing plant.
The prospect of such a paralyzing strike has convinced U.S. security officials and members of Congress that a new law may be needed to promote improved cyberdefenses at critical facilities around the country. Progress on that legislation, however, has been slowed by a debate over whether new cybersecurity measures should be mandated or merely encouraged.
The proposal that has received the most attention, sponsored by Sens. Joe Lieberman, I-Conn., Susan Collins, R-Maine, and others, would require owners and operators of critical infrastructure assets to notify the Department of Homeland Security of any and all cyber intrusions into their operating systems. Currently, such reporting is strictly voluntary, and security experts say only a fraction of the incidents come to the government's attention.
The Lieberman-Collins initiative would also establish baseline cybersecurity standards that all companies in an industrial sector would be required to meet. The legislation, however, has run into stiff opposition from private firms, the Chamber of Commerce and from members of Congress who view it as heavy-handed.
"Unelected bureaucrats at the [Department of Homeland Security] could promulgate prescriptive regulations on American businesses," charges Sen. John McCain, R-Ariz., the co-author of an alternative cybersecurity bill that favors voluntary information sharing between the government and private industry.
Advocates of mandatory cybersecurity standards, however, say the owners and operators of critical assets have consistently underestimated their vulnerability to cyberattacks and therefore are unlikely on their own to take the steps necessary to bolster their own defenses, particularly if they cost money.
Many operators, for example, do not realize their industrial controls may be accessible via the Internet.
Awareness Of Weaknesses
Such was the conclusion of Sean McGurk, who visited hundreds of power stations, water-treatment facilities and other critical assets as director of the National Cybersecurity and Communications Integration Center at the Department of Homeland Security.
"In every case, we were told that the systems were completely isolated from the enterprise network or the Internet, that there were no direct connections," McGurk recalls. "And in no case has that ever been true. In hundreds of vulnerability assessments, we've always found connections between the equipment on the manufacturing floor and the outside world."
The operating equipment probably lacked online links when designed and installed, but modernization and automation in subsequent years have introduced network connections of which the operators may be unaware. Such connections offer a doorway through which cyberattackers can penetrate an industrial system.
DHS cybersecurity experts such as McGurk (who has since left the government) have so far been handicapped in addressing infrastructure vulnerabilities because nearly 90 percent of the installations are in private hands.
Awareness of those vulnerabilities varies widely among the owners and operators of infrastructure assets, and some are openly skeptical of the need for expensive new security measures.
"There's been an awful lot written about cybersecurity and the threat of it," said Robert Johnston, president and CEO of MEAG Power in Atlanta. "There are a lot of people who want to spend a huge amount of money on something that we have not necessarily identified."
Johnston made his comments last fall in an interview with Energybiz, a business journal.
"Show me an event where we've lost systems due to cyberterrorism," he said. "I'm not aware of one."
'A Window Of Opportunity'
Security experts argue, however, that the example of the attacks of Sept. 11, 2001, shows that preparations for a terrorist attack must be made ahead of time.
"If terrorist groups were able to acquire these destructive cyber capabilities, I think we should fear greatly that they would use them," says William Lynn, until recently the deputy U.S. secretary of defense. "The capabilities are not yet in the hands of the most malicious actors, so we have a window of opportunity to improve our defenses.
"We don't know exactly how long that window of opportunity is, but I think we should feel a strong need to improve our defenses before that happens."
The debate over whether to establish compulsory or voluntary cybersecurity standards has led to competing legislative proposals on Capitol Hill. Rep. James Langevin, D-R.I., for example, is pushing to increase the authority of the Federal Energy Regulatory Commission to monitor cybersecurity in the U.S. power grid.
At present, FERC only has the power to approve or reject proposals initiated by power companies.
"I'd like to see that change," Langevin says, "so that when you have actionable intelligence that suggests a vulnerability exists and needs to be closed, FERC as the regulating entity has the authority to do that."
McCain and other Republican lawmakers have vigorously opposed such changes, saying industry is already overregulated and that new restrictions would hurt business.
"The regulations [under consideration] would stymie job creation, blur the definition of private property rights, and divert resources from actual cybersecurity to compliance with government mandates," McCain argued during a recent congressional hearing on proposed legislation.
Profits Over Public Safety?
Langevin and others have countered that private owners and operators may need to be forced to improve their cybersecurity for the general good.
"I would assess that the owners and operators of critical infrastructure have employed a minimum level of security because employing more robust cybersecurity would cost money and affect the bottom line," Langevin says. "They're putting profits ahead of public safety, in my opinion."
The wrangling over cybersecurity, however, is not strictly partisan. Among the advocates of tough, compulsory measures are several former Bush administration officials, including Michael Chertoff, a former secretary of Homeland Security, and Michael McConnell, a former director of National Intelligence, as well as FBI Director Robert Mueller, who has served under both Presidents Obama and Bush.
McConnell is especially dismissive of the argument that the mandatory cybersecurity measures being proposed would be anti-business.
"You got the same argument with virtually everything from seat belts to safety devices in electrical equipment," he says. "If you're out competing, and the competition is tough, you don't want to add any cost to your process, so your natural response to any regulatory talk is, 'It's more burden, and it's not worth it, and it would put me at a competitive disadvantage.' "
Though McConnell calls himself "a free-market advocate," he argues that more government regulation is sometimes needed, including in the cyber domain.
"This threat is so intrusive, it's so serious," he says. "If we don't address it, it's going to have a severe impact. I think we have no choice but to address it, and some of that process will be regulatory."
Still, some compromise will be necessary if new cybersecurity legislation is to be approved, and any final bill will undoubtedly promote some kind of government-industry partnership.
McGurk, who is now in private business helping firms address their cybersecurity problems, says such cooperative efforts are essential.
"With very limited exceptions, the skills necessary to secure water companies and power companies and chemical companies and nuclear facilities are nowhere available in the federal government," he says. "They reside in the private sector, with the asset owners and operators."