Congressional Gridlock & the Threat to our Cybersecurity

A country is under daily threat of invasion from seemingly invisible enemies located outside of its borders.  Surprisingly, the country remains unprepared – its government has instituted no policies or procedures to respond to the imminent threat; policy makers and legislators struggle to define how such attacks should be treated under the laws of the land.

If you guessed that this country is the United States of America, you are right. The attacks are those that happen in cyberspace – ranging from cyberwarfare to the list of threats from “compromised” web applications in this McAfee report.  Countries already engage in cyberwarfare – Russia launched a cyber attack against the Republic of Georgia in August 2008; China has allegedly used cyberwarfare for years against India.  But now we are seeing frequent attacks against private enterprise too.  Just yesterday, we learned that the recent cyber attacks against Google and several other technology companies were mounted from unlikely battle stations, two universities in China, both of which receive funding from the Chinese government.   We also learned about the existence of the massive Kneber botnet that has infected 75,000 computers at over 2,500 corporate and government entities.  Was Congress paying attention?

Cyber attackers come in all shapes and sizes, and exist on a global scale, just like the Internet.  At a recent NAAG Presidential Initiative looking at cybercrime and other issues, Fred Huntsberry of Paramount Pictures stunned his audience with a presentation on Russian and Eastern European cybercriminals.  These guys run online websites that manage to violate content piracy and identity theft laws at the same time, and on a massive scale.  First, they provide pirated, just released theatrical content for download or streaming.  Then, as many are also members of identity-theft rings, they misappropriate the credit card information you stupidly provide for subscription access to all that great (pirated) content.

The size of the cybercrime operation does not necessarily dictate the impact of the activity.  Take for example, the cybercrime ring composed of 3 people – Albert Gonzalez and his two Russian partners, responsible for the biggest data breach in US history (Heartland Payment Systems, implicating over 130 million credit and debit card accounts).  This was on top of the Gonzalez team’s other enormous breaches – including hacking into the payment systems of some of the country’s top retailers (Barnes & Noble, Office Max, Sports Authority, etc.)

The US has been on notice about the need for a comprehensive framework – to deal with cyber attacks and cyberwarfare – for many years now.  In 2001, Chinese hackers shut down whitehouse.gov; amazingly, almost 10 years later, we still lack a national plan of action to deal with cyber security, or a national data security law that defines both the issue and an offensive strategy to deal with its concerns.  Why do we lack the ability to deal with this very real and imminent threat?

A sobering white paper, recently published by former House Representative Thomas McMillen, provides some possible answers as to why there is no “political or corporate will” to enact cyber security legislation: an aggressive private sector lobby that has “resisted change” while paying “lip service” to the issues, a disengaged federal government (let’s add congressional gridlock to this category), and a public that fails to see the link between identity theft and cyber attacks (even though an estimated 40 million Americans are “cyber victims”). McMillen advocates for more public awareness – along the lines of what happened in the environmental movement – to catalyze the private sector to compete on security.  He also advocates for government regulation to give the industry the direction it needs on developing technologies and practices around cyber security.

If you believe McMillen’s report, there’s been little effective coordination between the public and private sector on cybersecurity – something that must happen for the government to effectively respond to a cyber attack.  For instance, imagine a situation where malware on smart phones (delivered through an innocuous March Madness application) is remotely activated to shut down the country’s telecom and broadband networks, paralyzing them during a hurricane.  How would the government and telecom providers resolve the issue? This was the scenario imagined by the Bipartisan Policy Center this week during their CyberShockWave mock attack exercise – featuring real former government officials in pretend government roles. After going through the exercise, the Center concluded that the US is “unprepared” for cyber threats (you can actually view the mock attack on a CNN special this weekend). And surprisingly, we do not yet have guidelines for how the government should communicate with private industry – like the telecom industry – in the case of such an emergency.

The lack of an effective cybersecurity framework is troubling.  But even more worrisome is the fact that the US is already losing the philosophical battle here against some formidable opponents.  Today’s cyber warriors are ideologically disposed towards cyber attacks – in China, hacking is often viewed as a patriotic activity.  They are intelligent – Shanghai Jiaotong University, one of the two universities identified as a source of the recent attacks against Google, recently beat out Stanford to win IBM’s prestigious Battle of the Brains competition.  And they are sophisticated – NPR’s interviews at this week’s Black Hat conference reveal a world where hacking is viewed as a business – complete with mission statements, budgets and continuing education programs.

It’s unlikely that cybersecurity legislation will be enacted in an election year when Congress already has so much on its plate.  Yet not doing so has severe consequences. Cyber attacks are behind one of the leading consumer complaints faced by federal and state regulators – identity theft.  Nearly 12 million consumers were affected by this crime in 2009 (according to a recent study by Javelin Research), making this a very real threat, not a policy issue that should be left for debate.   This reason alone should give Congress the political will to act; yet the gridlocked body continues to ignore the issue.

I hope it doesn’t take a real cyber attack to get their attention.