May 25, 2011

Washington Gets Serious About Cyber Security

With Republicans in control of the House of Representatives, Democrats in control of the Senate, and both parties focusing on next year's election, there's a whole lot of nothing happening in Washington right now.

But there are a few areas where legislation of some significance could emerge. Prominent among them: cybersecurity.

National security is, at least in theory, a cause that can attract bi-partisan support. And China Inc.'s massive theft of American intellectual property and the frightening prospect — however remote — of a major attack on the country's electrical grid or banking system offer plenty of incentive for action.

The opportunity for a major bill is of particular interest to Rhode Island's Congressional delegation. Representative James Langevin is among a handful of key players in the House on the issue and Senator Sheldon Whitehouse has been active on cybersecurity in his chamber.

But until recently, Langevin, Whitehouse, and the rest of Washington officialdom were playing a painful waiting game.

Even as Senate aides worked behind the scenes to craft a comprehensive bill, Congressional leaders felt they couldn't act until the Obama Administration had conducted a thorough review and staked out a position. And it took a long time for the administration to stake out a position.

But finally, earlier this month, a proposal.

The biggest concern in cybersecurity circles is an attack on critical infrastructure — plunging the East Coast into darkness, for instance, or dismantling Wall Street. The trouble is, the vast majority of that infrastructure is controlled by a private sector that has little incentive to invest in protecting against a low-probability threat.

The White House's solution: require companies owning sensitive infrastructure to develop cybersecurity plans that would be audited by a third party. Firms that fall short could be publicly named and shamed, possibly spooking customers. And their plans would be subject to Department of Homeland Security revision.

It is, by most accounts, a restrained approach — no heavy regulation, here, for a private sector that has dawdled for years.

But Travis Sharp, an analyst with the Washington-based Center for a New American Security, says that approach is probably appropriate. Both government and business have made mistakes on cybersecurity, he says. And a flexible, collaborative approach, he suggests, is the best way to get better results moving forward.

The plan has plenty of critics, though — Langevin among them. The representative, who gives the administration credit for "moving us in the right direction," says more robust, direct regulation is required in some places.

"I don't want government to intrude in the private sector any more than is necessary," he says. "But I use the example of the airline industry . . . They have an interest in making sure they get the traveling public safely to their destination. But I believe their interest in providing good service will only get us so far in terms of safety. I don't think anybody would argue that we shouldn't have the [Federal Aviation Administration] or the [National Transportation Safety Board]."

Langevin has also called for a National Office of Cyberspace (NOC) in the White House, with a Senate-confirmed director, to coordinate policy and whip into shape federal departments that have done a poor job of protecting their own networks.

The NOC proposal seems an increasingly tough sell, with the president's recently released proposal suggesting that authority reside in the Department of Homeland Security instead.

But Senator Whitehouse, among others, says he does expect the Senate bill to be tougher on companies controlling critical infrastructure than Obama recommends. One idea: a separate domain — think .secure rather than .com or .org — for critical infrastructure, with heightened security and heightened surveillance of users.

Whitehouse, who is sympathetic to the civil liberties concerns that come with security upgrades, says a .secure tag would send a clear signal to users that they cannot expect the same privacy they enjoy in the .com domain.

The proposal, trumpeted by some military leaders too, has faced robust opposition from Silicon Valley types who frown on any perceived assault on the open nature of the Internet. And private sector pressure is sure to be a major force in shaping any legislation that comes out of Congress. You can bet, for instance, that the utilities and banks will have something to say about the cybersecurity mandates proposed by the Obama Administration and Senate leadership.

James Lewis, a former State Department official now with the Washington-based Center for Strategic & International Studies, says the Obama and Senate proposals, whatever their differences, are in the same league. Both make an important attempt to impose cybersecurity responsibilities on powerful corporations.

"They're going to get a lot of pushback," he says, of administration officials. "I hope they stick to their guns."