Sen. Joe Lieberman (Jacquelyn Martin/Associated Press)
By EMILY WILKINS
Hearst Newspapers Washington Bureau
Connecticut Sen. Joe Lieberman says his cybersecurity legislation would help protect the nation’s private-sector infrastructure from cyberattacks. But U.S. manufacturers worry about the additional costs they would be required to bear to secure critical infrastructure, and Republican senators are trying to slow it down.
But to Lieberman, the alternative might be worse.
“To me, it feels like September 10, 2001,” Lieberman said in a hearing on the bill yesterday in the Committee on Homeland Security and Government Affairs, which he chairs.
“The question is will we act to prevent a cyber-9/11 before it happens instead of reacting after it happens?”
The Senate bill seeks to ensure that critical infrastructure companies in the private sector have adequate programs in place to prevent cyberattacks. It places requires private companies involved in critical infrastructure — from utilities to financial services companies to telecommunications giants — to coordinate with the Department of Homeland Security on cyberattacks and information.
James A. Lewis, the director of the Technology and Public Policy Program with the Center for Strategic and International Studies who testified at yesterday’s heading, made it clear both there and in an interview with Connecticut Politics that every critical infrastructure network that has been examined has been found to be vulnerable.
“They’ve all been hacked,” he told Connecticut Politics. “Every single one.”
A 2010 McAfee report on cyberattacks of critical infrastructure stated that while about 35 percent of large-scale malware attacks don’t affect corporations, more than half had some impact on operations with 12 percent causing a serious, sustained effect on operations (environmental damage and flooding were listed as examples) and 4 percent causing a “critical breakdown.”
In the Senate, the bill has been openly opposed by seven senior Republican senators who signed a letter seeking to delay action on Lieberman’s proposal until other Senate committees are able to weigh in.
This is not the kind of legislation that can result in a carefully balanced solution unless the full process is afforded,” the Republicans, who serve as the top GOP member of other Senate committees, wrote.
But Lieberman said the bill, which has been in the works for three years, has had wide, bipartisan input.
“The process by which we reached this cybersecurity legislation was very inclusive,” he said during the hearing. “We not only worked across committee lines, but reached out to people in business, academic, civil liberties and privacy, and security experts for advice on many of the difficult issues any meaningful piece of cyber legislation would need to address.”
Brian Raymond, the director of technology policy at the National Association of Manufacturers, which represents critical infrastructures and their suppliers, said the bill contains several good provisions, but still raises some concerns. A section that provides for information sharing between the private sector and the government would be beneficial — provided the information can be kept secure. What companies worry about are the additional regulations and their cost.
“More regulatory prescriptions aren’t going to improve cybersecurity,” Raymond said. “(The bill) creates an open-ended regulatory process and hands it to an agency that hasn’t dealt with some of these industries in the past.”
Raymond said that many sectors already have their own regulations and additional layer of legislation could hamper the industry.
“The last thing our economy needs to grow and build jobs is more regulation,” Raymond said.
But CSIS’ Lewis argued the current system has serious security gaps.
“We have this uncoordinated approach to national defense and that makes us vulnerable,” he said.