In November 2011, hackers using an IP address in Russia attacked a water plant in Illinois. The hackers were able to turn a water pump on and off so frequently that it broke. While the incident caused no other damage and did not shut down the water system, it was the first known instance of a malicious foreign attack on this nation’s critical infrastructure, and it demonstrated how vulnerable such vital services as waterworks, the electrical grid, oil and gas pipelines and the telecom system are to hackers. It also lent urgency to efforts in Congress to enact legislation to make critical industries less vulnerable to attack.
For several years, Sen. Joe Lieberman (I-Conn.), pictured at right, has been trying to pass a cybersecurity bill that would resolve issues around privacy and the sharing of information among critical industries and the Department of Homeland Security, and also require Homeland Security to establish standards and a testing program to make sure those industries are taking the needed steps to harden their operations against cyberattacks.
His bill, the Cybersecurity Act of 2012, has been stalled by opposition from much of the business community, including the U.S. Chamber of Commerce. The Chamber objects to the measure’s emphasis on increased regulation. Lieberman’s office insists that the regulations would only apply to a narrow group of critical industries such as power companies and telecom companies, whose failure could be “devastating to the U.S. economy and even to people’s lives,” as one staffer puts it. Such companies, the staffer adds, are “already heavily regulated by the government.”
The Chamber, in a letter supporting an alternative bill called the SECUREIT Act of 2012, offered by Sens. John McCain (R-Ariz.) and Kay Bailey Hutchison (R-Texas), which calls for no new regulation, argued against burdening businesses with additional cybersecurity regulations.
"New compliance mandates would automatically drive up costs and misallocate business resources in a tough economy without necessarily increasing security,” the Chamber wrote. “Critical infrastructure owners and operators already devote significant resources toward protecting and making their information systems more resilient because it is in their overwhelming interest to do so and good for the country.”
Lieberman and his co-sponsors, Sens. Susan Collins (R-Maine), Diane Feinstein (D-Calif.) and Jay Rockefeller (D-W.Va.), disagree, arguing that the trillions of dollars in economic losses that could be caused by a serious attack on U.S. infrastructure mean increased regulation of key industries is sorely needed.
Neither the measure’s sponsors nor the Chamber have estimated what the regulations might cost companies. A Bloomberg survey of technology managers at 172 U.S. companies and agencies earlier this year showed the managers estimated they would have to spend almost nine times more on security to be defended against 95% of cyberattacks.
Republican opposition has prevented the Lieberman bill from gaining the 60 votes that are required in the currently ideologically gridlocked Senate for any bill to get a hearing and a vote. But the measure has the support of Senate Majority Leader Harry Reid (D-Nev.). And Lieberman, who has been tweaking the bill to gain more supporters, claims he is close to gathering the 60 votes needed to put the bill to a vote before the Senate recesses in early August.
The senator also needs to win over Democrats who are concerned about the bill posing threats to consumer privacy.
If the measure passes, it would go into conference with the House, which already passed a U.S. Chamber-backed cybersecurity bill that eschews further regulation. The White House has warned that President Obama would veto the House version as being “too weak.”
The Lieberman bill is not without corporate supporters. Nilmini Rubin, a government affairs spokesman for the Information Technology Industry Council (ITI), says the organization supports the Lieberman bill in principle but does not want it to be “overly regulatory” in nature.
A spokeswoman at Pepco, the utility that provides electricity to Washington and the surrounding suburbs, says, “We appreciate the work the House has put in, but we really want to see action on the Senate side.”
“We believe we must work with the government in terms of legislation, regulation and readiness response,” the Pepco spokeswoman adds.