If you thought the US Congress couldn’t possibly get any further behind the times, the Cybersecurity Act has corrected that view. Republican House members have removed corporate compliance clauses. This is an appallingly lax approach to security.
Space Daily cites a UPI report:
In previous versions of the Cybersecurity Act, businesses and the corporate sector at large were put under various obligations to ensure security of their systems against cybercrime and cyberterrorism.
But Republican objections made those provisions unsustainable and further changes eliminated those clauses.
The problem with this situation is that corporations are directly hardwired into national networks on multiple levels. Cyber attacks against US government agencies are at record highs, four times the number of 2010 in some cases. The rest of the world isn’t much better off. Even Australia has a more or less constant barrage of hacker attacks, but the US is under attack more than any other nation.
Whatever the political rationale, the US is not in a position to be too casual about its cyber security. The risks are very real, and the threats are multiple. A serious cyber attack, in fact, would probably do a lot of major damage to corporate America, which is a key target for terrorists. Most major US companies receive a rather sickening combination of threats and actual attacks every week, or in some cases every day.
The removal of compliance clauses sounds very much like saying you don’t need a police force because you haven’t been killed yet. Some would say that after the event is a bit late. It’s unnecessary to dwell on this point much, but any successful major attack would by definition be a serious hit to the US. The corporate collateral damage would be equally serious.
President Obama said in a Wall Street Journal op-ed:
… "critical infrastructure networks" haven't been disrupted or damaged but "foreign governments, criminal syndicates and lone individuals are probing our financial, energy and public safety systems every day."
"Last year, a water plant in Texas disconnected its control system from the Internet after a hacker posted pictures of the facility's internal controls," he said. "More recently, hackers penetrated the networks of companies that operate our natural-gas pipelines. Computer systems in critical sectors of our economy -- including the nuclear and chemical industries -- are being increasingly targeted."
Obama goes on to say, quite correctly, that militarily inferior opponents could exploit cyber security vulnerabilities in a conflict. That, by the way, could include absolute chaos, like financial system crashes, water, power, etc.
The general verdict from at least one legal critic published by heritage.org on the revised Cybersecurity Act is even grimmer, and includes this truly bizarre piece of information:
The other critical portion of the bill is the set of information-sharing provisions. This bill continues the earlier focus of the prior version on the creation of cybersecurity exchanges in the federal government for sharing threat and vulnerability information. As drafted, the bill is likely to fail to achieve these modest objectives.
The bill requires the creation of a federal civilian cybersecurity information exchange, presumably led by DHS. The idea of strengthening DHS’s role in this program is laudable, but the bill deliberately excludes the possibility that the Department of Defense and/or the National Security Agency might also operate an exchange. While there is a legitimate reason for concern over the militarization of cyberspace defense, it seems highly inefficient and ineffective to require all defense efforts go through DHS to get information in all cases. Surely there must be a subset of cases where direct military engagement is both appropriate and even necessary.
What? DHS overrides military? The last time that happened was in the bad days of the CIA, with disastrous results in Vietnam. The information-sharing idea also has its rather grotesque characteristics:
The bill also authorizes lawsuits against the U.S. government for violations of the limitations and authorizes the award of attorney’s fees. This inclusion is clearly an attempt to create an incentive for lawsuits, which would chill information sharing.Authorizes attorney’s fees? What the hell is that doing in Federal security law? Let them send in a bill like everyone else. Billing by lawyers is not a matter for statutes. One of the proponents of this revised act is Senator Joseph Lieberman, yes, he’s still around. Lieberman, in an earlier incarnation as a Democrat, was a hawk, all pro-security. This thing, if the interpretation on heritage.org is even half right, is anything but security-friendly. It’s a bureaucratic cess pit of additional procedures for incidents which can happen in micro seconds.
Let's clarify one thing here- A cyber 911 would be even worse than the original. It's not a thinkable option. Congress must get this right. There's no safety catch on this one. If it goes "bang", everyone gets hurt.
This opinion article was written by an independent writer. The opinions and views expressed herein are those of the author and are not necessarily intended to reflect those of DigitalJournal.com