On Valentine’s Day, four Senators introduced Senate Bill 2105, which is also known as the Cybersecurity Act of 2012.  If you would like to read the bill as it was introduced, it is available in full as presented.   If passed, this law would authorize the Federal government to regulate the security of privately owned critical infrastructure, much of which is controlled by Internet-connected systems and susceptible to being hacked.  This includes electrical power grids, telecommunications networks, air traffic control systems, dams, and nuclear power plants.  Said differently, this would allow the Federal government to have security standards, to assess a company’s compliance, and to levy fines if the security is not sufficiently high.

Last week, the Wall Street Journal reported that a group of Senators have weakened the bipartisan legislation.   They responded to business lobbyists who claimed that such regulations would “regulations would create a costly and cumbersome process.”  Rather than requiring the companies to meet these regulations, they should be encouraged to do so.  According to Senator John McCain, “Instead, we must leverage the ingenuity and innovation of the private sector in partnership with the most effective elements of the federal government to address this emerging threat.”

I am perplexed as to why Senator McCain, who has a strong record on National Security, would take this stand …. unless he does not really understand the real and present threat of such an attack.  Consider the number of companies in the last few months that have reported a security breach.  Sometimes the breach provides thieves with passwords, which can be problematic enough, but sometimes instead it is social security numbers, bank accounts and more personal information.  The people whose identities are stolen have a never ending hassle to fix the problem.  Many companies do not take security as seriously as they should.  Even when security is a priority, the companies have a significant task keeping a step ahead of the hackers.

Now, take that up to a regional or national level.  Suppose the U.S. had no access to electricity or telecommunications equipment.  Suppose this is not for a couple of hours as you might get in a thunderstorm, but rather for an extended period of time.   What would that do to the company’s productivity?  What if it happened during peak holiday shopping and no one could buy gifts or food?  What if it happened on election day and half the people were not able to vote?  What if …. there are many horrible examples.

We have already proven this can happen.  Well, it is unclear whether “we” proved it or someone else proved it by the introduction of the Stuxnet virus into Iran’s nuclear reactor.  Not only did it stop operations, but it did it in a way to damage the plant and roll back their development.  Other similar viruses, aimed at the “Internet of Things” (such as a power plant) have also been identified.

People release viruses all the time — sometimes without even knowing the impact of what they have done.   Why do we believe it won’t happen here?  Personally I think it is because people just do not understand technology and what security breaches can do.   They understand bombs or people shooting guns and know how to respond.  But electrons?  It is easy to listen to those claiming to be experts and follow their advice.

I hope we get the legislation.  I hope that it is flexible enough to be able to adapt to the rapid changes in technology.  I hope we can find a way to protect ourselves before it is too late.  If you agree, please share your concern with your Senators and Representatives.

 

A postnote:  Even weakened, the bill failed.  Too many people thought telling infrastructure companies that they need to be secure was a problem.  Sigh.