CybersecurityMandatory cybersecurity regulations necessary to protect U.S. infrastructure: Experts

Published 21 January 2015

Since last year’s cyberattacks made public the cyber vulnerabilities of major U.S. firms including Sony Entertainment, JPMorgan Chase, and Target, President Barack Obama has been on the offensive, proposing strict rules better to prosecute hackers and make U.S. firms responsible for protecting consumer information. Experts say, though, that private firms are unlikely, on their own, to make the necessary financial investment to protect against a critical infrastructure cyberattack. What is needed, these experts say, is a mandatory cybersecurity framework followed by all entities involved with critical infrastructure, strong protection of information regarding cyberattacks shared with DHS, and a sincere effort from the private sector to secure their own networks.

Since last year’s cyberattacks made public the cyber vulnerabilities of major U.S. firms including Sony Entertainment, JPMorgan Chase, and Target, President Barack Obama has been on the offensive, proposing strict rules better to prosecute hackers and make U.S. firms responsible for protecting consumer information. Obama’s cybersecurity proposals call for a law requiring companies to notify consumers of a data breach within thirty-days of discovery, make it a crime to sell malicious software designed to control computers remotely (botnets), and allow the Justice Department to pursue criminals suspected of selling stolen financial information overseas. Obama also wants to make cybercrime punishable under the Racketeering Influenced and Corrupt Organizations (RICO) Act, a proposal he introduced to Congress in 2011.

Considering the rise in cyberattacks over the past three years, Congress is expected to support many of Obama’s cyber proposals. “The security of our computer networks is woefully inadequate, and the threats against them are growing more sophisticated each day,” said Senator Harry Reid (D-Nevada) in a statement on his Web site. “It is time to create the proper authorities and enhance the tools to protect the computer networks that are so crucial to our daily lives.”

Many private sector groups including the U.S. Chamber of Commerce and the National Retail Federation, also support Obama’s cyber proposals, but a growing number of industry experts who have reviewed the proposals have called them inadequate.

The proposals are unlikely to stop the influx of cyberattacks, said Albert Whale, founder and chief security officer of cybersecurity firm ITSecurity. “Proposals don’t get work done. However (the proposal) may be enough for executives and companies to finally spend the money to get started. We have to start somewhere; any first step we take is a step in the right direction.”

The Pittsburgh Post-Gazette notes that while criminalizing the sale of botnets and stolen financial information may reduce the frequency of attacks, unprotected systems that operate critical infrastructure will still remain vulnerable to hackers. “This is reinforcing the concept that cybersecurity is strictly a confidentiality problem and not a problem that could affect physical things like electric grids, pipelines — you name it — where equipment could be damaged or people killed,” said Joe Weiss, managing partner of industrial control systems cybersecurity firm Applied Control Solutions.

DHS has issued guidelines to protect critical infrastructure systems in the private sector, but according to Weiss, true protection would require collaboration with international firms who share the same control systems equipment as the United States. He calls for a mandatory cybersecurity framework followed by all entities involved with critical infrastructure, strong protection of information regarding cyberattacks shared with DHS, and a sincere effort from the private sector to secure their own networks.

For now, Weiss is not convinced that private firms will make the necessary financial investment to protect against a critical infrastructure cyberattack, since no U.S. firm has directly tied any physical damages to a cyberattack. “People have a tendency to not believe this is real. It’s all hypothetical, like you’d see it on TV but it could never really happen. So there’s a reticence to want to spend money on something they don’t want to believe is real,” Weiss said. “If you don’t believe it’s real, any money is too much money.”