The Obama administration will provide U.S. lawmakers with a classified briefing today on the threat posed by computer attacks as a draft Senate cybersecurity bill faces resistance from business groups over its potential cost.
The legislation is aimed at compelling operators of vital infrastructure, such as utilities and phone carriers, to boost cyberdefenses. The U.S. Chamber of Commerce, the nation’s largest business lobbying group, urged lawmakers this week to delay consideration of the bill, which Senate Majority Leader Harry Reid wants to bring to the floor by Feb. 17.
“Cyber criminals have the ability to interrupt life-sustaining services, cause catastrophic economic damage, or severely degrade the networks our defense and intelligence agencies rely on,” Senator Jay Rockefeller, a West Virginia Democrat, said in a statement yesterday. Rockefeller, who heads the Commerce Committee, is a lead sponsor of the bill.
Hackers are stepping up assaults on U.S. government and corporate systems, spurring efforts by Congress and President Barack Obama to shield infrastructure essential to U.S. national and economic security, such as power grids and water-treatment plants.
The Senate measure, which has yet to be formally introduced, would authorize the Homeland Security Department to identify infrastructure that is critical to U.S. economic and national security and develop standards that must be met to protect them.
The Chamber said it has “serious concerns” about the draft Senate legislation.
“Layering new regulations on critical infrastructure will harm public-private partnerships, cost industry substantial sums on compliance, and not necessarily improve economic and national security,” Bruce Josten, the Chamber’s executive vice president of government affairs, wrote in a letter Monday to Reid and Minority Leader Mitch McConnell, a Republican from Kentucky.
Today’s briefing is intended “to inform senators about the growing threat to our cyber security as they consider cybersecurity legislation in the coming weeks,” Caitlin Hayden, a National Security Council spokeswoman, said in an e-mail yesterday.
The meeting will be led by senior national security officials including Janet Napolitano, Homeland Security Department Secretary; General Martin Dempsey, Chairman of the Joint Chiefs of Staff; and General Keith Alexander, Director of the National Security Agency.
A Bloomberg Government study released in Washington yesterday found that utilities, banks and other infrastructure operators would have to spend almost nine times more on computer defenses to reach a state of security capable of preventing 95 percent of cyber attacks.
The study was conducted by Ponemon Institute LLC, a Traverse City, Michigan-based security-research firm, which interviewed technology managers at 124 companies and 48 government agencies.
Even an incremental improvement in computer defenses would require a significant investment, according to the study. To be able to thwart 84 percent of attacks, up from the current 69 percent, respondents said they would have to almost double their average expenditures on equipment and practices such as user verification systems, encryption and workforce training.
The study highlights the need to explore ways to finance cybersecurity improvements rather than focus solely on technology standards and requirements, Larry Clinton, president of the Washington-based Internet Security Alliance, said at the conference introducing the study’s findings.
“The threats and costs are going up but the investments are going down,” said Clinton, whose group’s members include Lockheed Martin Corp., Verizon Communications Inc. and Northrop Grumman Corp. The study “documents what that gap is and indicates that it is much higher than we had expected.”
Representative William “Mac” Thornberry of Texas, who heads a House Republican task force on cybersecurity, said Congress should act on legislation this year while avoiding bills that dictate how to shore up computer defenses.
“The threat changes so fast, technology changes so fast, that there is no way government regulation can ever keep up,” Thornberry said at the Bloomberg Government conference.
Thornberry said company executives responsible for critical infrastructure need to make network security a “bigger deal,” and said the government can assist companies in certain ways, including by sharing threat data.
“We expect a company to have locks on the doors and maybe a fence around them,” he said. “We don’t expect them to defend themselves against bombers that come over the top.”
House Republicans support more narrowly targeted bills that would provide companies with incentives to better protect their networks and promote information sharing with the government. Such bills could come to the House floor in late February or early March, Thornberry said.