CybersecurityCybersecurity bill not likely before a crisis proves its necessity

Recent research found about twenty-five security vulnerabilities in the supervisory control and data acquisition (SCADA) systems which monitor and control many of the U.S. water, power, and other critical infrastructure assets.

Matt Rhoades, director of the cyberspace and security program at Truman National Security Project, recently held a legislative simulation with participants from congressional staffs, the cybersecurity sector, and the U.S. military to see whether the United States could pass legislation to fix the nation’s cyber vulnerabilities right after a national crises.

The simulation dealt with a series of cyber crises which occur in spring 2015. In the scenario reported by Defense One, a major cyberattack hits two generators in Florida on 4 April 2015, disrupting power in Coral Springs and St. Augustine, Florida; leading to multiple deaths and millions of dollars lost. A month later, Congress is tasked with presenting a bill to the president to fix the vulnerability, but political gridlock, media histrionics, and aggressive lobbying from industry makes passage of a bill unlikely.

The 350 participants worked out of rooms at the Washington Plaza hotel, over the course of four hours. Five minutes into the simulation, the president’s approval rating fell to 35 percent, as the public placed their trust in Republicans more than Democrats to handle cybersecurity.

One conclusion from the experiment is that Congress and the White House are capable of enforcing cybersecurity laws for the critical infrastructure sector, if the industry is invited to the decision table through a private-public working group. In February, when asked why cyber industry officials would voluntarily adopt security standards as outlined in the president’s cybersecurity framework, even though the standards may be costly to implement, a senior Obama administration official cited “enlightened self-interest,” telling reporters, “it’s very much in their interest to know how to adopt what’s considered best practice and to put it in a framework where it can be effectively used.”

While the White House generally received praise for the contents of the framework, researchers Eli Dourado and Andrea Castillo of George Mason University suggest that the framework is likely to cause more harm than solve problems. “In reality, much of the functioning Internet governance that users enjoy today is not a product of government committees but rather a natural emergence from the rules and incentives that permeate the Internet called ‘dynamic cybersecurity,’” they wrote.

Rhoades told Defense One that it seems unlikely that Congress will pass a major bill on cybersecurity without a crisis, and if such is the case, then, “what is our threshold in terms of what sort of crisis actually spurs that on?” Additionally, “if we are actually making decisions at the time of a crisis, are we making good decisions or bad decisions — are we making decisions that we are better off making at a more sober time than at the time of a crisis?”

Rhoades set May 2015 as the date for the simulation because he wanted to give the cybersecurity framework “about a year to kick in, get out of the election season… get to a time of year that makes policy more relevant.” Rhoades noted that the change in congressional personnel will influence decisions. House Intelligence Committee Chairman Mike Rogers (R-Michigan) is set to retire at the end of his term. “We wanted to see if we could take a look at how those folks may or may not feel about cyber issues.”

Andrew Borene, an adviser to the Center for National Policy’s cyberspace and security program,who played the part of president in the simulation, told Defense One, “this weekend’s cybersecurity wargame is not about navel-gazing on tactics, crafting talking-points or looking at capabilities. It’s about taking a group of real-world leaders and acid-testing our nation’s current cybersecurity and legal framework before a real crisis occurs.”