Will It Take a 'Cyber Pearl Harbor' To Break Congressional Deadlock?

Hugh Pickens writes "For years lawmakers had heard warnings about holes in corporate and government systems that imperil U.S. economic and national security. Now Ward Carroll writes that in the face of what most experts label as a potential 'Cyber Pearl Harbor' threat, Republicans have stalled the Cybersecurity Act of 2012 with a Senate vote of 51–47 against the legislation. This drew a quick response from the staff of Secretary of Defense Leon Panetta: 'The U.S. defense strategy calls for greater investments in cybersecurity measures, and we will continue to explore ways to defend the nation against cyber threats,' says DoD spokesman George Little. 'If the Congress neglects to address this security problem urgently, the consequences could be devastating.' Many Senate Republicans took their cues from the U.S. Chamber of Commerce and businesses that framed the debate not as a matter of national security, but rather as a battle between free enterprise and an overreaching government. They wanted to let companies determine whether it would be more cost effective — absent liability laws around cyber attacks — to invest in the hardware, software, and manpower required to effectively prevent cyber attacks, or to simply weather attacks and fix what breaks afterwards. 'Until someone can argue both the national security and the economic parts of it, you're going to have these dividing forces,' says Melissa Hathaway, a White House cyber official in the Bush and Obama administrations. 'Most likely, big industry is going to win because at the end of the day our economy is still in trouble.'"

Yes

Will It Take a 'Cyber Pearl Harbor' To Break Congressional Deadlock?

Yes, when cyborgs attack Pearl Harbor, congress will probably do something about it.

Patriot Act 2.0

A "cyber-Pearl Harbor" would break congressional deadlock in only one sense: You'd get the online equivalent of the Patriot Act. Politicians only seem to be able to agree on conceding civil liberties for the fake perception of security.

Sounds reasonable

[Score+Whore]

While the internet had its roots in DARPA, the reality is that the "public infrastructure" is privately owned. Critical government systems should not be on it. Critical privately owned and operated services (power, telecom, etc.) should be hardened to the extent that the provider desires or the contracts that they signed with various municipalities require.

I've worked contract gigs with the armed services and I have a lot of respect for the technical skills they have, but that's irrelevant. Companies and businesses should be able to make their own decisions and benefit from their good decision making or suffer from their poor decision making. Anywhere that government intersects with private industry, it's on the government to make sure their contracts properly spell out their requirements. End of story.

Re:Sounds reasonable

[Jawnn]

While the internet had its roots in DARPA, the reality is that the "public infrastructure" is privately owned. Critical government systems should not be on it. Critical privately owned and operated services (power, telecom, etc.) should be hardened to the extent that the provider desires or the contracts that they signed with various municipalities require.

I've worked contract gigs with the armed services and I have a lot of respect for the technical skills they have, but that's irrelevant. Companies and businesses should be able to make their own decisions and benefit from their good decision making or suffer from their poor decision making. Anywhere that government intersects with private industry, it's on the government to make sure their contracts properly spell out their requirements. End of story.

While your reasoning is seductive, it is fundamentally flawed. The reality is that "government" buys a lot of it's services from private companies. That includes utilities like electricity and water, as well as networking services. While there a few three-letter federal agencies who can justify the expense and complexity of laying their own fiber/copper from place to place. Most can do no such thing, not even close, so they buy what they need from the carriers. Yes, yes, we all all know about the ways that networking over leased media, even over the public Internet, can be made reasonably secure. We also know that "secure" is a not a state, but rather a process. Lastly, we know that many, many of the "moving parts" on the Internet are not kept as secure as they might be.

All that said, I don't expect the federal government, much less Congress, to "get it right" when it comes to regulations regarding "cyber security". And I am seriously loathe to let those bastards write a blank check to their favorite campaign donors from the "cyber security" industry, but at some point we are going to have to spend serious money to make sure that the lights stay on, the cell towers still work, and that emergency services communications still function. The expertise to "properly spell out their requirements" does not come cheaply. It will have to be bought. The Republicans are blocking this because the right barrels aren't going to get enough pork, not because they don't appreciate the problem. Nor do they give a shit about our privacy. I just hope like hell that the debate is vigorous and involves people who actually know what they're talking about. Yeah, I know. I'm a dreamer.

Laws mean compliance, not security.

[khasim]

The problem with legislating "security" is that you end up with "compliance" instead. The companies get a checklist and fill it in with the cheapest "solutions" possible that will allow them to check off each item.

It's a start. Right now, most companies have no idea how to handle anything other than "run anti-virus software" on as many machines as can be conveniently handled.

Deadlock?

[phantomfive]

It isn't deadlock every time a bill is voted down. Sometimes it's just a bad bill and SHOULD be voted down.

Oh god no

[identity0]

I guess we didn't learn anything from when 9-11 happened and we created the TSA, a group of intrusive busybodies at best and molestors at worst.

Or organized all federal law enforcement under the DHS without actually thinking about how it would coordinate things so we have another layer of government that is busy trying to justify their existence by going after random stuff. I hear they do copyright enforcement now?

I suppose we are set to see a Cybersecurity Agency with powers to monitor everything and permaban people from the internet based on anonymous accusations like the no-flight lists? What's the worst that could happen?

The minority party gets blamed for stalling?

[El+Cubano]

Republicans have stalled the Cybersecurity Act of 2012 with a Senate vote of 51-47 against the legislation

So, I am not an expert on politics, but in the current congress, there 51 democratic senators, 47 republican senators, and 2 independents (both of whom caucus with the democrats). By my count, if every single senate republican voted against this, that still only comes to 47 votes. That means that the other 4 would have had to break ranks with the democratic party. So, just who is at fault here?

Just saying.

This. I teach cybersecurity for DHS

[raymorris]

I'm involved with teaching cybersecurity for DHS. Our network, that we use to develop cybersecurity classes, is about as secure as the "lock" on a bathroom stall. But we sure are in compliance with a lot of regulations! A coworker and I were just discussing the fact that agency "security" regulations prevent us from making things secure. Example "anything hashed must be hashed with MD5". MD5 is broken, so we were going to use SHA-256, but regulations don't allow SHA-256. The other end refuses to use MD5 since it's broken, so we have to send the data in clear. With no"security" regulation it would be SHA-256 hashed. To comply with the "security" rules, we have to send it in the clear, out in the open. Such is government regulation.