Last week's defeat of the Lieberman-Collins cybersecurity bill sends lawmakers back to the drawing board to craft legislation that walks a fine balance between protecting critical national infrastructure against attack and addressing the privacy and cost concerns expressed by opponents of the original bill. While at this point it is uncertain when new legislation can be introduced, it is becoming increasingly clear that the United States, as well as a number of other countries, remain highly vulnerable to attack by foreign nations, cyberterrorists, hacktivists and also your garden-variety of cybercriminal.
"Cyberwarfare is especially inviting to countries that don't have the same level of military capability," said Chris Petersen, CTO of LogRhythm, a Boulder, Colo.-based SIEM vendor. "We have enemies who look at cyberwarfare as a great asymmetric weapon. They could use it to disrupt our communications, transportation, energy grid, etc. They don't even really have to do the actual attack. Sometimes it is the threat that makes a difference in certain cases. But, if they can disrupt the operation for a prolonged period of time, that would put us in a very bad position from the ability to project policy and project power."
One of the things that makes the United States especially vulnerable is the fact that much of our crucial infrastructure is either owned or controlled by private corporations. This means that the investment necessary to protect that infrastructure depends on budgetary survival in an environment where cost control and shareholder value are the preeminent business objectives. And, given that large-scale attacks have not yet occurred, many opponents of the cybersecurity bill have questioned the validity of the threat.
[Related: The Biggest Data Breaches of 2012 (So Far)]
"We have to rely on businesses to do the right thing, and for them, doing the right thing is to take care of the shareholders unless some overarching reason compels them to do otherwise," Petersen added. "They will protect their networks to the degree that they need to in order to fulfill their first obligation of the shareholders. But, I'm not sure that it's reasonable to expect them to defend themselves to the extent where they are preserved against an attack by a nation/state. This is not a trivial cost."
NEXT: Cyber Is The "Great Equalizer"Many security advocates believe that cybersecurity will be unable to attract the necessary support until some 9/11-style event disrupts our sense of safety.
"People will not truly get this until they see the real implications of a cyberattack," said Shawn Henry, formerly the FBI's assistant executive director and currently president and CEO of CrowdStrike Services, during a presentation at last month's Black Hat conference. "Cyber is the great equalizer. Anybody with a $500 computer and an Internet connection can attack anyone at any time while sitting in their pajamas."
LogRhythm's Petersen agrees that we have been fortunate enough to avoid a large-scale attack that has largely impacted the American way of life, but increasingly weaponized technology combined with the growing number of disaffected world citizens places us at substantial risk.
"The recent failure of the Cybersecurity Act demonstrates that we probably need some major event to bring about the will to do something," he said. But, by that time, it might already be too late. And, since we are on a reactive footing at that point, we might actually overreact. If we overreact, privacy will probably be completely put aside. That's a major concern as well."
According to Petersen, the bill was more of a proverbial carrot than a proverbial stick, as lawmakers strove to do everything they could to maximize the odds of passage. He believes that the legislation was at least a step in the right direction, but he remains unconvinced that the bill as written would have had the desired effect. "I think if we really require and expect corporations to invest in the necessary resources to defend their infrastructure, it might take a little bit more of the stick," he said. Petersen also suggested that tax dollars will need to be applied to this effort given that cybersecurity needs to emerge as a major national objective.
"I think we are extremely vulnerable," he added. "When we deploy our technology into the environments of large utilities, they've usually got all the components of security that you can buy. But, we almost invariably find custom malware that they had no idea was on their networks. These are companies that are running critical infrastructure, and I believe a lot of them are already compromised."
PUBLISHED AUG. 7, 2012
This story was updated on Aug. 8, 2012, at 9:20 a.m. PST, to correct for a typo, changing from " ... to take your the shareholders ..." to " ... to take care of the shareholders ..."