Editorial Board

U.S. Needs Flexible Laws to Boost Cybersecurity: View

You probably feel it intuitively. The grids underlying our digital lives -- our bank accounts, mobile phones, e-mail, medical records -- are more vulnerable than ever.

Companies such as Lockheed Martin Corp., Citigroup Inc. and Sony Corp. have recently reported serious breaches of their networks. NASA said last week that hackers had launched 13 major attacks against it last year, including one in which they gained access to networks at the Jet Propulsion Laboratory, which manages active space missions. The national counterintelligence executive, a federal post, estimates that $398 billion in U.S. research and development spending is jeopardized by cyberespionage from China and Russia.

As scary as all this sounds, cybersecurity is a manageable problem. The most important thing for Congress is to act quickly -- but not overreact.

The Cybersecurity Act of 2012, a bipartisan bill backed by Senator Joseph Lieberman of Connecticut and introduced Feb. 14, is a noble but imperfect start. It would require operators of critical networks -- such as those used by utilities, banks and telecommunications services -- to meet federal security standards overseen by the Department of Homeland Security. Companies could devise their own ways to meet the new standards, but would be subject to performance evaluations.

The bill would also require information sharing about attacks and emerging threats -- both among covered companies and between the private sector and federal agencies -- in so-called cybersecurity exchanges.

A Few Problems

So far so good. Unfortunately, the bill defines as “critical” systems that, if disrupted by a cyberattack, “would cause mass death, evacuation, or major damage to the economy, national security or daily life.” Congress is right to try to avoid placing overbearing regulation on too many industries. But as James A. Lewis of the Center for Strategic and International Studies has argued, this definition is too narrow: Cyberattacks aren’t going to cause mass death anytime soon.

A competing bill, introduced March 1 and backed by Senator John McCain of Arizona and other Republicans, would encourage companies to voluntarily share information with the government and with one another. Republicans argue that no one has a greater incentive to prevent cyberattacks than companies themselves.

Again, sounds great. Except that making your business more secure costs money. A study by Bloomberg Government of 172 organizations in six industries and the government found that they would need to increase their cybersecurity spending almost nine times over -- to $46.6 billion from the current $5.3 billion -- to achieve security that could repel 95 percent of attacks.

Not all of that would be new spending, and companies that are already working hard at cybersecurity would have a much smaller hill to climb. But executives may be tempted to cut corners on such protections unless they have incentives: Loading up on security spending could put you at a competitive disadvantage -- and why would anyone really want to attack your little company anyway?

Such calculations are perhaps why 71 percent of cybersecurity professionals would like to see the federal government take a more active role against cyberattacks, according to a 2010 study by the Enterprise Strategy Group, an IT consulting firm. True, these are precisely the people who would benefit from increased attention (and spending) on cybersecurity. Nevertheless, their point holds: If the government creates uniform security standards, a given company won’t be at a disadvantage for taking proper precautions.

Harnessing Competition

This is where the Lieberman bill is smart. By letting businesses develop their own means of meeting the federal standards -- through new software, for instance -- the bill could harness competition to create efficiency in meeting the threats from cyberspace.

To fix the bill’s flaws, the Senate should broaden the definition of critical infrastructure modestly -- for instance, by requiring some commercial information-technology companies to adhere to federal standards on installation and maintenance procedures. It should ensure that the requirements for companies are as flexible as possible, to allow for unanticipated new threats and to enable the quick correction of flawed measures or unforeseen consequences. It needs to strengthen privacy safeguards in its information-sharing provisions convincingly.

And, finally, it should allow the National Security Agency, which spies on communications abroad, to share threat information with companies in critical industries and to advise on security measures, while giving the Department of Homeland Security ultimate authority to ensure companies are meeting the new standards.

Critics of this approach argue that the government will always be a step behind hacking technology. Regardless of whether this is true -- and no one really knows -- it isn’t a good excuse for inaction. Cybersecurity is clearly an area where federal intervention is warranted to protect the public. The trick will be securing our digital lives without jeopardizing the freedom and flexibility that make them worthwhile.