Editorial: Congress needs to prepare for cyberwarfare
The hits just keep on coming. Practically every day now another big brand company reveals its computers have been hacked. Apple, Facebook, The New York Times, Coca-Cola and Twitter have all been recent targets. While some of these cyber attacks may be mischief and others more mercenary theft of company secrets, the defenselessness of these major companies makes real the vulnerability of our nation to cyberwarfare.
Aggressive attacks by foreign nations or hostile groups targeting defense contractors and critical infrastructure -- such as electrical grids, oil and gas pipelines, and banking and financial systems -- soared 17-fold from 2009 to 2011, according to the head of the U.S. Cyber Command. China especially appears to be aggressively involved, and there are even more sophisticated invasions coming out of Russia; the potential for nonstate organizations, such as al-Qaida, is clear. There are extraordinary risks of deliberate harm to life and property.
That makes preventing, detecting and responding to cyberattacks an urgent matter of national security.
But for three years, Congress has tried and failed to enact legislation to facilitate the cooperation needed between the government and companies that operate critical infrastructure to give the nation its best shot at countering the mushrooming threat. Recent attempts to legislate were stymied by the valid concern of burdensome government regulation.
President Barack Obama stepped into the void Feb. 12 with an executive order allowing critical infrastructure companies to join a program that gives government contractors near real-time information on cyberattacks. He also ordered officials to develop recommendations that companies could adopt, if they choose, to better secure their computer systems. That's a decent start, but just a start.
Congress should enact a more muscular program with mandatory, two-way information sharing. Companies operating essential services need to know the nature of the attacks directed at others and share with one another how to prevent or counter them. Government officials need a view of the big picture in order to discern patterns in attacks against the United States that could help identify the culprits.
Some companies will be reluctant to disclose they've been hacked because it could undermine confidence in their businesses and lead to lawsuits by customers if private information is compromised. Congress should give those who share cybersecurity information some protection against liability.
What Congress should not do is impose mandatory standards for companies operating critical infrastructure. Technology changes quickly, and so do the methods of creative hackers. It would be difficult for government regulation to keep pace. So rather than burdening companies with cybersecurity mandates, Congress should free companies to do it their own way. Insisting on mandates ensures continued failure in Congress, when it's imperative to get something done.
This threat is so serious that the administration recently created a "Distinguished Warfare Medal" reserved for people who greatly assist the war effort by piloting drones or devising computer defenses or creating digital code to attack an enemy's networks. This is 21st century warfare and we must be ready.