By U.S. Sen. Olympia J. Snowe(R-Maine)
Nearly a year ago, I joined my with colleague, Senator John D. (Jay) Rockefeller IV of West Virginia, and filed a comprehensive cyber security bill to bring new, high-level governmental attention to developing a fully integrated, thoroughly coordinated public-private partnership as that is the only way we can address our nation’s 21st century vulnerability to cyber crime, global cyber espionage, and cyber attacks. This is why last Tuesday, I helped to lead a U.S. Senate Committee on Commerce, Science and Transportation hearing examining steps to advanced initiatives to combat the threat of cyber attacks. Commerce Committee Chairman Rockefeller and I sought to carve a course for our country to embrace a national security policy that will protect and preserve American cyberspace, which President Obama has rightly deemed a “strategic national asset.” Indeed, it is simply undeniable that the interconnection and integration of global systems – the very backbone of our functioning modern society – creates myriad opportunities for cyber attackers to disrupt communications, electrical power, and other indisputably essential services. And over the past several years, let there be no mistake – cyber exploitation activity has grown more sophisticated, more targeted, and more serious.
According to Director of National Intelligence Dennis Blair, a burgeoning array of state and non-state adversaries are increasingly targeting the Internet, telecommunications networks, and computers, and we are being assaulted on an unprecedented scale by well-resourced and persistent adversaries seeking to gain a glimpse into America’s mission-critical vulnerabilities. Failure to implement effective policies and procedures to prevent unauthorized intrusion has proven extremely consequential, and if we fail to take swift action, we risk a cyber-calamity of epic proportions with devastating implications for our nation.
Indeed, government agencies as well as the private sector are identifying an increasing number of security incidents. According to Verizon, more electronic records were breached last year than the previous four years combined, resulting in loss of privacy, identity theft, and financial crimes. Today, hijacked personal computers known as botnets are used to send spam or viruses. And all of this is done without the owner’s knowledge.
Just last week, according to a recently released report from Netwitness, hackers gained access to a data at close to 2,500 companies and government agencies, from credit-card transactions to intellectual property, over the last 18 months in a coordinated global attack. Many of these records are then sold on the black market, often via online forums.
In fact, 85 percent of our vital infrastructure is owned and operated by the private sector, and, according to a 2009 Verizon report which examined data breaches at 45 major U.S. firms in 15 different industries, “the average cost for a data breach reached an eye-opening $6.75 million” – that’s the cost to the average large company every single day. Last May, the President noted that it had been estimated that in 2008 “cyber criminals stole intellectual property from businesses worldwide worth up to $1 trillion.” As a result, cyber attacks represent both a potential national security and economic catastrophe.
It is imperative that public and private sectors marshal our collective forces in a collaborative and complementary manner to confront this urgent threat and reduce the risk posed by cyber intrusion or a catastrophic cyber attack. As Melissa Hathaway, the former acting director for cyberspace at the National Security Council, recently wrote, “a government cannot develop a strategy independent of private sector insight and cooperation,” and I could not agree more.
As part of this effort, we must identify incentives for the private sector. Limiting liability for the companies that improve its cybersecurity posture, improving threat information sharing, providing a “safe harbor” for exchanging vulnerability data, as well as tax credits contingent on a company complying with certain security practices, should all be considered.
It is equally urgent that government takes proactive steps always mindful though of privacy concerns. The Rockefeller-Snowe bill would statutorily require companies to adopt certain cyber security best practices much like how companies in the chemical sector are currently required to comply with the Chemical Facilities Anti-Terrorism Standards. The government should also develop a robust workforce of cybersecurity professionals, promote innovation and excellence in products and services, institute a campaign to educate the public about cybersecurity risks, use the government’s purchasing power to raise standards through procurement, and promote government and private sector teamwork in emergency preparedness and response in the event of a catastrophic cyber attack.
Ultimately, we must recognize that time is not on our side and it is clear that our adversaries will continue to change their tactics as technology evolves. Congress must take action.
