Last week's defeat of the Lieberman-Collins cybersecurity bill sends lawmakers back to the drawing board to craft legislation that walks a fine balance between protecting critical national infrastructure against attack and addressing the privacy and cost concerns expressed by opponents of the original bill. While at this point it is uncertain when new legislation can be introduced, it is becoming increasingly clear that the United States, as well as a number of other countries, remain highly vulnerable to attack by foreign nations, cyberterrorists, hacktivists and also your garden-variety of cybercriminal.
"Cyberwarfare is especially inviting to countries that don't have the same level of military capability," said Chris Petersen, CTO of LogRhythm, a Boulder, Colo.-based SIEM vendor. "We have enemies who look at cyberwarfare as a great asymmetric weapon. They could use it to disrupt our communications, transportation, energy grid, etc. They don't even really have to do the actual attack. Sometimes it is the threat that makes a difference in certain cases. But, if they can disrupt the operation for a prolonged period of time, that would put us in a very bad position from the ability to project policy and project power."
One of the things that makes the United States especially vulnerable is the fact that much of our crucial infrastructure is either owned or controlled by private corporations. This means that the investment necessary to protect that infrastructure depends on budgetary survival in an environment where cost control and shareholder value are the preeminent business objectives. And, given that large-scale attacks have not yet occurred, many opponents of the cybersecurity bill have questioned the validity of the threat.
[Related: The Biggest Data Breaches of 2012 (So Far)]
"We have to rely on businesses to do the right thing, and for them, doing the right thing is to take care of the shareholders unless some overarching reason compels them to do otherwise," Petersen added. "They will protect their networks to the degree that they need to in order to fulfill their first obligation of the shareholders. But, I'm not sure that it's reasonable to expect them to defend themselves to the extent where they are preserved against an attack by a nation/state. This is not a trivial cost."
NEXT: Cyber Is The "Great Equalizer"