Protecting against cyber-attacks

By Senators Lindsey Graham and Sheldon Whitehouse
April 9, 2013

Last year, Congress failed to forge a workable framework for cybersecurity to protect the United States against a fast-growing national security and economic threat. Our cyber-networks remain dangerously vulnerable to outside attack and are the repeated targets of foreign governments intent on stealing the fruits of our intellectual and business efforts. Congress must address this crucial issue.

The threat to our critical infrastructure, national security and economic prosperity was laid out in a February report by Mandiant, a respected U.S. computer security firm. An elite unit of Chinese hackers affiliated with China’s People Liberation Army, the report concluded, is likely behind a wave of attacks on U.S. government and business computer systems.

Since 2006, according to the report, the Chinese unit has stolen data – including blueprints, test results, business plans and emails – from at least 115 U.S. companies across a wide spectrum of major industries.

Almost every facet of American life is threatened when intruders exploit our cyber-vulnerabilities. And the risk is not from China alone. Foreign governments like Iran and terrorist organizations such as al Qaeda seek to worm into critical national infrastructure and threaten catastrophe here at home. Foreign agents raid our companies, stealing plans, formulas and designs. Foreign criminal networks take money out of our banks, defraud consumers with scams and sell illicit goods and products, cheating U.S. manufacturers. It may be the greatest illicit transfer of wealth in human history.

If you’re a business owner, listen to our top cyber-experts, who say there are only two kinds of businesses: those that have been hacked, and those that don’t know they’ve been hacked. If you’re a consumer, know there’s a third group: those who know they’ve been hacked and won’t admit it.

Following Congress’ failure to act, President Barack Obama has issued an executive order to address some of our nation’s vulnerabilities. But an executive order can’t accomplish everything that needs to be done.

We both worked hard last year to forge a bipartisan legislative compromise, and still believe it can be reached. To get this right, a bipartisan solution must include the following elements:

First, there must be far more disclosure of cyber-threats. Americans should not be in the dark about the risks we face. The government should do more public reporting, and companies should be candid with shareholders and customers about the problems.

Second, companies that operate critical U.S. infrastructure should meet some basic standard to protect their customers and our way of life. We have discussed ways for government to work with industry to set these standards while allowing private-sector initiative to determine the specific manner of companies’ compliance. The model may work for other sectors, as a more nimble, smarter alternative to overly prescriptive administrative regulation.

Third, government agencies and private industries, particularly the communications companies that run the Web’s infrastructure, need to share more information about the threats they see on their networks. This will require removing existing legal barriers – while protecting classified information and privacy.

Fourth, prosecutors should have the resources to pursue international cyber-criminals. These cases are technically and legally complex; involve difficult intelligence and diplomatic and foreign law challenges, and require massive forensic capability. Rather than complain about cyber-robbers overseas, we’d like to see them indicted and prosecuted.

Fifth, we need to make sure that training is available to bring Americans into the cybersecurity field, and maintain our technical leadership in this crucial area. Cyber-danger is not going away. More and more of our business and personal lives will take place in cyberspace. Cyber-threats will expand and evolve. America must be prepared.

In all this, we must safeguard the privacy of U.S. citizens. We can keep the United States secure without infringing dearly held liberties. Well-crafted legislation can achieve this.

We must do this, because we never want to see a nightmare scenario become reality.

Imagine waking up one morning to find the power out at home, and no signal on the phone or computer to tell you what’s going on. You drive into town and find dozens of people in front of the banks, wondering why the ATMs aren’t working. There are lines at gas stations and supermarkets because businesses can’t process sales on credit or debit cards.

The failures all around you – no heat or air conditioning, no banking, no Internet or phone, and cash-only sales in the stores that are open – have no end in sight. There may even be smoke on the horizon from a plant on the outskirts of town, aflame because of compromised equipment.

A cyber-attack could cause all this. We need to work together to ensure America never has to face that day.

 

PHOTO (Top): Marine Sergeant Michael Kidd works on a computer at ECPI University in Virginia Beach, Virginia, February 7, 2012. He is retraining at the naval air station to fight cyber threats, REUTERS/Samantha Sais

PHOTO (Insert): A building of Shanghai 863 Information Security Industry Base Co., Ltd, headquarters at the Zhangjiang High Technology Park on the outskirts of Shanghai, March 16, 2013. Chinese university faculty have collaborated for years on technical papers with a People’s Liberation Army unit accused of being behind China’s alleged cyberwar against Western targets. REUTERS/Carlos Barria

4 comments

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/

I agree. We need to act quickly. I like that you say “Second, companies that operate critical U.S. infrastructure should meet some basic standard to protect their customers and our way of life. We have discussed ways for government to work with industry to set these standards while allowing private-sector initiative to determine the specific manner of companies’ compliance. The model may work for other sectors, as a more nimble, smarter alternative to overly prescriptive administrative regulation.”

I think that “PCI DSS” is a mature approach to protect sensitive information in the payment industry. The “PCI DSS” rules would be a great starting point also in this area.

Ulf Mattsson, CTO, Protegrity

Posted by UlfMattsson | Report as abusive

“well crafted legislation”..? crafted by whom..?

Posted by rikfre | Report as abusive

The US developed the internet and then cyber warfare, and it is the only nation on earth to launch cyber attack against other nation successfully referring to the Stuxnet attack on Iran.

The US developed nuclear weapon and used it successfully against Japan as the sole nation that had used nuclear weapon.

However the US always hate other nations doing the same thing. Great world leader.

Posted by Kailim | Report as abusive

Another classic case of creating fear and then using it to monitor and control the populace. The part about being able to persue cyber criminals is fantastically worrying when you consider the increasing trend for the US to stray from the judicial path when it suits them. Hundreds of prisoners held in custody without even so much as being charged. I can just see gun slinging, self appointed protectors of the Internet hounding those that dare to voice an unpopular opinion.

Posted by crumblestrip | Report as abusive