Congress Fiddles as Cyberattacks Intensify
Firms are opposed to costly new laws. But they might have the most to lose.
When it comes to bolstering cybersecurity -- safeguarding a wide array of computer networks that control everything from the U.S. electrical grid and water plants to financial and medical records -- meaningful protection is a long way off, even as cyberattacks score hit after hit on U.S. targets.
Businesses are increasingly vulnerable as cloud computing and mobile commerce gain in popularity. Both favor access and usability over security, and cybercriminals are taking notice. Many of the most vulnerable computer systems "were never designed to be secure," says Joe Weiss, managing partner at Applied Control Solutions LLC, which provides strategic consulting on industrial cybersecurity targets.
Cybertheft costs firms $1 trillion worldwide, which includes worker downtime, financial losses, physical repairs and rebuilding damaged business reputations.
Also on the rise: more-sophisticated malware, such as the Stuxnet computer worm and Aurora, a China-originated attack on Google, Adobe Systems, Morgan Stanley, Dow Chemical and other companies. What's more, many breaches go unnoticed for weeks. Note that the U.S. and Israel secretly used the Stuxnet worm to crash nearly 1,000 centrifuges critical to the development of Iran's nuclear program. And "it's much easier to attack our power companies than centrifuges in Iran," says Alan Paller, director of research at SANS Institute, a cybersecurity training school.
The problem is, there's no cheap fix. Experts say U.S. firms would have to triple spending over their current budgets to ward off attacks. And putting every exposed weakness behind a firewall would cost even more.
The cost factor is largely behind Congress' inability so far to pass legislation that would begin to address needed standards and other steps to stop cyberattacks.
Lawmakers removed a provision requiring firms to comply with government standards on cybersafety in favor of voluntary compliance, but even the dilution draws protests. Business groups say a cybersecurity law would create burdensome regulations, with no guarantee of success. They’re also reluctant to share data with the feds.
"In all my years working to identify vulnerabilities to our national security, I can't think of an area where the threat is greater and where we have done less," says Sen. Susan Collins of Maine, the ranking Republican on the Senate Committee on Homeland Security and Governmental Affairs.
A bill still can pass later this year or next, however. The White House, CIA and National Security Agency will make it clear that they're not just crying wolf. The bill would set up a national cybersecurity council that would recommend standards. In coming years, even more stringent rules for sharing vital intelligence between businesses and government are likely, particularly if voluntary efforts fall short.
Spending on security measures will be ramped up, growing by 10% a year in the U.S. over the next five years. Should there be a big attack, spending will soar. Poised for big paydays: tech firms that specialize in online security -- Cisco, Oracle, McAfee, Symantec, IBM, Trend Micro, EMC and others.
There will be roaring demand for cybersecurity experts. The government alone wants to hire at least 10,000 specialists in coming years. The private sector will add 100,000. The median pay for "white hat" hackers and other experts will approach six figures.
Despite the debate and delay, the government, and eventually businesses defined as critical infrastructure, will have to take action, because it's a matter of when, not if, a potentially crippling cyberattack will occur. The question is, how prepared will the U.S. be to mitigate the damage?