HSNW conversation with James LewisU.S. always ends up regulating new technologies for public safety; the Internet is no exception

Published 29 August 2012

Homeland Security News Wire’s executive editor Derek Major talked with CSIS’s James Lewis about the cybersecurity challenges the United States faces, Stuxnet, China’s hacking campaign, cyber arms control efforts, and more; on the stalled cybersecurity bill, opposed by critical infrastructure operators as being too burdensome, Lewis says: “It takes America about 20-40 years to come to terms with a new technology, but we always end up regulating it for public safety. This will be no different. We are in year 17.”

Homeland Security News Wire: Why did the cyber security bill fail to gain majority support on the Hill? Do you see the bill passing before the presidential election?
James Lewis: People had doubts about DHS, the business lobbies were strongly opposed, and the Republicans couldn’t resist proposing amendments on health care. It came very close.

HSNW: Do you think the bill is will be an issue of debate before the election? Should it be?
JL: We aren’t going to have any serious debates on national security.

HSNW: It is easy to see why private operators of critical infrastructure facilities would object to the bill, seeing in it another burdensome government imposition. But haven’t we been here before? The airline industry and the chemical industry both adamantly opposed the imposition of government-formulated security standards, preferring instead what they described as “voluntary, industry-designed” security measures. Both industries eventually agreed — or were made to agree, by Congress — that uniform and mandatory government security standards were essential. Do you foresee the same process with regard to critical infrastructure?
JL: It takes America about 20-40 years to come to terms with a new technology, but we always end up regulating it for public safety. This will be no different. We are in year 17.

HSNW: Do you view Stuxnet as a game changer? If so, why?
JL: It really wasn’t a big deal. Weaponized code successfully tested in 2007.

HSNW: Do you know whether the Chinese have already planted “sleeper” malware in the U.S. critical infrastructure system, malware that could be activated at the outset of a U.S.-China conflict in the future?
JL: Probably not, although they have probed it for reconnaissance purposes.

HSNW: What government body in the U.S. should monitor critical infrastructure cybersecurity compliance — DHS? NSA? A new body?
JL: A new body, if DHS can’t get its act together soon.

HSNW: Where do you stand on the issue of a cyber arms control treaty among the major industrial countries? Traditional arms control can be verified (you can count missiles, nuclear warheads, etc.); how do you verify whether or not a country has developed offensive cyberwar options?
JL: Treaties are unverifiable, so there is no sense in agreeing to one. When people invent a weapon they tend to use it unless it is truly horrific, an cyber attack is not in that category.

HSNW: The Internet was not designed with security in mind, yet so many vital economic and security assets are now being run, monitored, and communicated with using this Insecure and easily breached system. Is it possible to design an impregnable digital architecture for use by critical economic and national security systems?
JL: Not as long as humans are involved. Somebody will always make a mistake. But we can minimize risk and damage.  

James Andrew Lewis is director and senior fellow, Technology and Public Policy Program, the Center for Strategic and International Studies