Defenseless against cyberattacks

By Editorial Board,August 06, 2012

IN THE FINAL WEEKS before Congress left for its August break, Sens. Joseph I. Lieberman (I-Conn.) and Susan Collins (R-Maine), took a gamble. They watered down their own cybersecurity legislation in hopes of winning passage. But last week on the Senate floor, their compromise died. The sponsors could muster only 52 votes, short of the 60 needed.

Mr. Lieberman and Ms. Collins went a long way. Their original legislation would have set mandatory cybersecurity standards for companies that run critical infrastructure, such as electricity, water, nuclear, communications and financial networks. Ripping the heart out of their bill, they made the standards voluntary but still found no takers. The influential U.S. Chamber of Commerce opposed it, saying the legislation took an “adversarial” approach to the private sector. The group has endorsed other bills with less rigorous requirements.

This was a moment when the business lobby put its head in the sand. The threat posed to the private sector in cyberspace cannot be wished away — it is large and growing. Most companies realize this from their own experience. They are being battered by cyber-exploitations and theft, losing customer records and intellectual property. Instead of torpedoing legislation, they ought to be leading the way, pressing Congress to act.

The United States needs to shore up its cyberdefenses, which are relatively weak. The government has unique capabilities to help firms improve cybersecurity but needs the legislation to act in concert with the private sector. Gen. Keith B. Alexander, the commander of the U.S. Cyber Command and the National Security Agency, has warned that cyberattacks on critical infrastructure are moving from the inconvenient to the destructive. One day, this could mean a click that throws a city into a blackout or causes a financial market to crash. Gen. Alexander and other military and national security officials have urged Congress to pass some kind of legislation soon.

The Lieberman-Collins compromise reflected a proper sense of urgency. The House approved its own, somewhat similar, legislation in April, although privacy concerns have led the White House to threaten a veto. The net result is that Congress left town with the nation’s critical infrastructure exposed and cyberdefenses still down. When it returns in September, a concerted effort should be made to pass legislation so the government and private sector can begin to face the onslaught, together.