The Sony hacking served as a national reminder that cybersecurity should be taken more seriously. Thus, the lame-duck 113th Congress passed several cybersecurity acts, which the President signed on December 18.
The new laws include: The National Cybersecurity Protection Act (S. 2519); The Federal Information Security Modernization Act of 2014 (S. 2521); The Critical Infrastructure Research and Development Advancement Act of 2014, or CIRDA Act of 2014 (Public Law No: 113-246); The Homeland Security Cybersecurity Workforce Assessment Act, which was included in the Border Patrol Agent Pay Reform Act of 2014 (S. 1691); and The CyberSecurity Enhancement Act of 2014, which permits the Secretary of Commerce, acting through the Director of the National Institute of Standards and Technology (NIST), to facilitate and support the development of a voluntary, industry-led set of standards and procedures to reduce cyberrisks to critical infrastructure.” This should help develop “voluntary standards for securing our country’s critical infrastructure with public-private partnerships.”
Until not long ago, the notion behind the House and Senate bills past and present was that government had the greater expertise and manpower to combat cyberattack and therefore should also protect the private sector. For this, however, public-private information sharing is crucial. But the private sector did not like the idea of mandatory sharing information on attacks, especially so after Snowdon’s NSA exposes. Also, if the government has the expertise and the means, why then we read with growing frequency that many government agencies are being hacked into?
“What can we do to cope?” asked outgoing Intelligence Committee Chairman Mike Rogers in the Wall Street Journal. “It is not enough to simply exhort American companies to work harder or the government to promulgate new regulations….Congress must update the law to expand the private-sector’s access to government-classified cyberthreat intelligence,” he said. “The law must also be updated to knock down the many barriers, such a concerns about legal liability or action by government regulators, that currently impede or stop companies from sharing cyberthreat information with each other and the government,” he wrote. However, several cybersecurity firms did not wait for the government. Earlier this year they forged alliances and begun sharing cyberthreat information
Rogers, like Obama, is most concerned with state-sponsored cyberattacks, not criminals. And both are worried not only about service denial, but about attacks that aim to spy, steal information and even destroy computers. Therefore, Rogers argued, “The U.S. government has an obligation to help those companies defend themselves by sharing any actionable intelligence the government has to warn them when and where they can expect an attack to come from.”
In May 2010, former National Security Agency Director Keith Alexander lamented, “The scale of compromise, including the loss of sensitive and unclassified data, is staggering,” Miller said. “We’re talking about terabytes of data, equivalent to multiple libraries of Congress.” Since then it has only gotten worse. Yet, the general attitude, even now, is that “cyberattacks are a fact of life.” Not necessarily.
Better security, however, means a different mindset.
Protection against cyberattacks should be among the U.S. government’s highest and most urgent priorities. Since hackers break into government and private systems threatening the economy, the public and national security, the brightest cyber experts in the nation should be invited to participate in a highly secluded “Manhattan Project”-like group. It should consist experts from government, academia and the private sector, thus gaining the confidence of the public. Better organization and less bureaucracy could be provided by the private sector and funding should be allocated by Congress, as well as the private sector.
Meanwhile, with the latest news being that “the ISC site, home to the world’s most popular Domain Name System program BIND, appears to have been infected with malware,” the minimally prudent thing to do for individuals, companies and certainly most government offices, is to use computers not connected to the Internet.