It turns out the Senator Bill Nelson’s (FL) office computers in the US Senate were under attack – for the THIRD time in the last month – by what is believed to be a Chinese source.
As we reported earlier, it appears that the Chinese government views the internet as one way to equalize the power difference between the US and China. In blunt terms, should there be an overt fight between the US and China, a concerted cyber-attack against US government and private companies, such as those providing water, power, etc, are targets for cyber disruption. With the Senate’s computers under attack from Chinese sources, the threat escalated from a theoretical to real.
In response, Senators Jay Rockefeller (WV) and Olympia Snowe (Me) joined forces to draft a bill addressing what appears to be a very lax attitude within the government on cyber-security. I’m not surprised – it usually takes a triggering event to kick the US Congress into high gear. To his credit, Sen. Rockefeller stated:
“At the risk of sounding alarmist, I know the threats we face. Our enemies are real, they are sophisticated, they are determined and they will not rest… Let me be very clear: I will not wait for a crisis to take action now. Today’s economic climate simply does not allow room for error.”
Amen to that!
As is the case for many problems, right now the responsibilities for cyber security are shared among multiple agencies. In addition, past efforts were focused on hardening military and Pentagon computers.
However intelligence analysts are ringing alarm bells on the threat to private networks. Think about banking systems, rail and air travel, utilities, communications and the impact of a concerted, broad-based cyber attack; in short, total chaos.
The private sector is simply not up to the task, according to Prof. Gene Spafford of Purdue University during recent cybersecurity hearings, stating:
“Society has placed too much reliance on marketplace forces to develop solutions. This strategy has failed, in large part, because the traditional incentive structures have not been present: there is no liability for poor quality, and there is no overt penalty for continuing to use faulty products. In particular, there is a continuing pressure to maintain legacy systems and compatibility rather than replace components with deficient security. The result is a lack of reward in the marketplace for vendors with new, more trustworthy, but more expensive products.”
Lacking incentives, the private sector will also take a “wait for the tragedy and then act” approach. The proposed legislation is comprehensive and far reaching. The key points of the proposed legislation are outlined below (Go HERE for details):
- Establish an Office of the National Cybersecurity Advisor in the White House, serving as the lead officer in developing cyber security policies and plans.
- Involve the private sector in cyber security actions, including establishing “…enforceable cybersecurity standards. The legislation would require the National Institute of Standards and Technology to establish measurable and auditable cybersecurity standards that would be applicable both to government and the private sector.”
- Provide for licensing and certification of cyber security professionals.
- Establish cyber security standards for products purchased by the government.
The key point of this proposed legislation is the broad-scale involvement of the private sector to meet national cyber security standards. This is no trivial task and you can bet that a lot of these companies will protest the scope of mandatory government standards. However, I have to believe that this country’s key industries are vulnerable and lacking a private incentive to harden systems, the proposed legislation kicks this vulnerability front and center where it should be.