The Senate Commerce, Science and Transportation Committee, led by Chairman John Rockefeller and Ranking member Olympia Snowe, held a long awaited hearing on Cyber Security. The Chairman began with the thought that a major cyber attack could shut down our nation’s most critical infrastructure. He called for legislation to “modernize the relationship between the government and the private sector on cyber security.” This is the committee’s fourth version of their legislation (S. 773, the “Cyber Security Act of 2009”), but they have yet to set a date for a formal mark up in the committee. Snowe commented that “We’d like to get something done this year, [but it] remains to be seen.”
Snowe implied that Congress may include incentives such as liability protections and tax incentives for firms that meet performance measures and best practices. He wants the White House cyber coordinator, currently a member of the National Security Council, to be a Senate-confirmed official who could be compelled to testify to Congress.
A stellar group of witnesses appeared. These include Vice Admiral Michael McConnell (USN, Ret.), former DNI, and now with Booz Allen Hamilton. He made the biggest news when he said that if the United States were in a cyber war today, we would lose because “we are simply the most dependent and the most vulnerable to attacks.” He called for passing the Rockefeller/Snowe bill to protect critical infrastructure and preempt adversaries. McConnell pessimistically said that “we will talk about [passing a bill],” but it may take a catastrophic event before we act.
Dr. James A. Lewis, Director and Senior Fellow at the Center for Strategic and International Studies also voiced support for the bill. Lewis said the Internet was like the Wild West and real security of global infrastructure may not be achievable without domestic and international regulations. He pointed to historical examples of lagging regulation in other industries. The industrial leaders always objected, but eventually rules are needed. In his written testimony, Lewis said that “Every time a new technology has reshaped business, warfare and society, there has been a lag in developing the rules . . . needed to safeguard society.”
Mr. Scott Borg, the Director and Chief Economist, U.S. Cyber Consequences Unit stated that presently, the biggest cyber losses to the U.S. economy are due to “massive thefts of business information.” He also cautioned the committee that some aspects of cyber security cannot be legislated; it is just too slow. Technology and cyber attack techniques change so rapidly that “if the government tries to mandate standards, they will be out of date – and an actual impediment to better security – before they can be applied.”
Other witnesses were Rear Admiral James Arden Barnett Jr. (USN, Ret.), Chief, Public Safety and Homeland Security Bureau, Federal Communications Commission (FCC), who emphasized the need to include a mix of regulation and public-private partnerships. Another was Ms. Mary Ann Davidson, Chief Security Officer, Oracle Corporation. She made two recommendations to the committee: (1) Reform university-level educational curricula for computer science so students learn to incorporate security into software from the beginning; and (2) work to lessen the nation’s exposure to systemic risk.
All these witnesses added to the growing discussion on cyber security. We do, however, also need some action.