Langevin Makes Case for Stronger Cyber Rules for Key Infrastructure

Speaking to an audience of more than 170 government agency representatives, educators, business people and others at the Brookings Institution today, Congressman Jim Langevin (D-RI) offered a blunt assessment of our nation’s lack of progress in protecting our critical networks as he offered proposals to deal with our most urgent cybersecurity priorities during a keynote address and question and answer session.

Specifically highlighting weakness in key infrastructure like the electric grid and water systems, Langevin called for a more robust public-private partnership, with government taking the lead in issuing standards and guidance for the protection of critical utilities and infrastructure. He emphasized that the rules cannot be overly prescriptive because cybersecurity is a moving target and the companies themselves have the best knowledge of the threats they face, but stronger protections must be mandated in certain sectors.

“As STUXNET has shown the world, a serious attack through cyberspace is all too real a possibility, yet many companies still have not confronted this risk, focusing on reliability over security and profit over protection,” said Langevin.

“Many of my colleagues and many in industry have noted the challenges of creating a new regime for protecting critical systems in cyberspace, but the urgency of this effort demands that we take action. The status quo of security through anonymity is gone. Those who would gain political, economic, or military advantage through damage or disruption to critical systems are already well aware of the technical vulnerabilities. If we cannot convince policymakers and the private sector that security must be a priority, then we will suffer the consequences.”

Langevin also said businesses and the market need a better appreciation of how much “good cybersecurity is worth” as our economy is repeatedly victimized by intellectual property theft, which does immediate and long-term damage to our country’s leadership in innovation. He noted the need for more thorough data breach reporting by the government and publicly owned companies, as well as better information sharing between the public and private sectors about cyber threats and ways to manage them.

The speech coincided with National Cybersecurity Awareness Month and was hosted by the Brookings Institution Center for Technology Innovation. The center’s research focuses on identifying and analyzing key developments to increase innovation; developing and publicizing best practices to relevant stakeholders; briefing policymakers about actions needed to improve innovation; and enhancing the public and media’s understanding of technology innovation.

Langevin has been a leading voice advocating our nation’s cybersecurity needs, co-founding the bipartisan Congressional Cybersecurity Caucus and co-chairing the bipartisan CSIS Commission on Cybersecurity for the 44th Presidency.

Video

• Congressman Langevin offered the keynote address at the Brookings Institution’s “The Cybersecurity Agenda: Policy Options and the Path Forward.”

Congressman Jim Langevin
Keynote Address on Cybersecurity
Brookings Institution
October 26, 2011

I would like to thank the Brookings Institution for inviting me to speak with you today on the safety and security of our critical networks, a topic I believe deserves far greater attention and scrutiny by people both inside and outside our national security sectors. I have a feeling I’ll have a lot of company in the room when I admit that I have always had the reputation of being a bit of a technology nerd, so I was more than thrilled back in 2007 when I was selected to Chair the Homeland Security Subcommittee with jurisdiction over cyber programs. The field of cybersecurity was a bit new to me at the time, but it was right up my alley, and I jumped in with passion. Four years later, the news is awash with stories of digital harassment of major fortune 500 companies; silent but effective espionage against our defense establishment; and even the potential horrors that a STUXNET-like attack could wreak upon our pervasively networked critical infrastructure. But despite all this press, and a growing awareness that we are facing a serious and urgent problem, we, the geeks, have so far failed. We should examine some disturbing facts.
 
A few short months after major intrusions that put customers’ personal and financial information in the hands of criminals, both Sony’s and Citi’s stock prices barely reflect anything amiss. The reason for this is more than good PR; it is because, despite all our efforts, the market still doesn’t appreciate how much good cybersecurity is worth.
 
There is a general belief among those who follow the topic that the importance of cyberspace to our national security and economic competitiveness is impossible to overstate. We know that beyond the large losses of private data that make the news, the main driver of our economy – our intellectual property – is being siphoned off on a daily basis for economic and military advantage by our competitors. 
 
In the defense sector, it is easy to see how losing the plans for a new weapon can be damaging to business – not to mention our national security. However, in the rest of the private sector, which runs the majority of our economy and houses the majority of our creative entrepreneurial spirit, many boardrooms are not convinced that an investment in strong cybersecurity is more cost-effective than a minor public embarrassment. Boardrooms need numbers and market information. While the market exists, clearly the information on the potential damage of this intellectual property theft to our national competitiveness and leadership in cyberspace is still lacking.
 
A 2010 study found the average cost of a data breach for a business to be $7.2 million, a manageable figure for a large Fortune 500 company, and one that some might simply consider the cost of doing business. But the increasing value of intellectual property makes each of these losses minimal in comparison to the potential long-term damage to America’s ability to remain the world leader in innovation. As my friend Jim Lewis noted earlier this year, “the US spent $368 billion on research and development last year, but cyber espionage lets others get the results for free.”
 
To make matters worse, many of these intrusions are possible due to common coding errors or lax corporate attitudes towards security. Currently, the SEC requires companies to report any material network breach, including loss of sensitive corporate information that could affect their marketplace, earnings, or share price. But because this definition is so vague, most of the breaches are never reported. I applaud the SEC for recently moving to tighten these rules and was pleased to see Senator Rockefeller’s leadership in highlighting this issue, but there is another side to this information puzzle.
 
One of the key recommendations of the CSIS Commission on Cybersecurity for the 44th Presidency, which I was proud to Co-Chair, was to reinvent the public-private partnership in cybersecurity. Overclassification, obtuse understandings of liability, and, frankly, a slow government response have plagued America’s ability to protect its private sector while fully enjoying the benefits of being home to the top cyber innovators in the world. 
 
The silent cyber crisis has grown to the point where it can no longer be ignored, and we still have a long way to go to respond effectively. Information sharing efforts with our defense industrial base have spawned new calls to reexamine the benefits of classification versus sharing. We have a classification system that is based on potential damage to national security, but in cybersecurity often times this reactionary thinking is backwards. 
 
Certainly we must continue to protect sensitive details about how we gather information, how much we know, and where we are most vulnerable. But because the adversaries we are facing in cyberspace are far more powerful than most civilian defenses, it is often the case that the more people who are secure from a virus or attack vector, the safer we all are. This preventative strategy can seem contrary to our normal security mindset and is one reason why the Department of Homeland Security is a critical partner, along with the NSA, in reshaping our public private partnership.

We in Congress also have a role to play. There are legal and liability hurdles to greater information sharing that range from fears of acting as an agent of the government to privacy concerns about ECPA. What is clear, however, is that cyber threat information in government hands needs a clearer pipeline, or even network, to enable it to be shared with the private sector. While some of this information may need to remain classified, much of it can – and should – be shared for the greater good of our country.

Another area of focus on the CSIS Commission was critical infrastructure. In 2007 my Subcommittee on the Homeland Security Committee began investigating an evolving threat to our critical infrastructure: the threat through cyberspace. It became clear to the Committee that many in our utilities sector did not fully appreciate the vulnerabilities they had exposed themselves to by linking their industrial control systems to their corporate IT networks. As STUXNET has shown the world, a serious attack through cyberspace is all too real a possibility, yet many companies still have not confronted this risk, focusing on reliability over security and profit over protection.

The threat of a cyber war against our critical infrastructure may seem far off.  But we are already beginning to see interest among the hacking community in the massive and often shocking vulnerabilities and lax mindset that plague our power, water, transportation and other utilities. It used to take a sophisticated hacker to pull off a distributed denial of service attack; now all you need is an internet connection, tools such as the Low Orbit Ion Cannon and an angry mob. My gut tells me we will see a similar progression against our critical infrastructure.

I believe it’s time for a new take on the public-private partnership, with government taking the lead in issuing standards and guidance for the protection of critical utilities and infrastructure. I have worked hard to bring this model of a federal lead in cybersecurity to the electric grid, but it applies across other sectors as well. I introduced a bill earlier this year that echoed the White House model for establishing frameworks for various critical infrastructures, guided by best practices developed across industries. I have also been interested in the potential creation of a dot critical infrastructure realm. This idea could range from simply a different set of security rules and expectations when operating on highly critical networks, such as those attached to the SCADA systems of nuclear power plants, all the way to new domain built with the goal of security at the outset.

Many of my colleagues and many in industry have noted the challenges of creating a new regime for protecting critical systems in cyberspace, but the urgency of this effort demands that we take action. The status quo of security through anonymity is gone. Those who would gain political, economic, or military advantage through damage or disruption to critical systems are already well aware of the technical vulnerabilities. If we cannot convince policymakers and the private sector that security must be a priority, then we will suffer the consequences.

I was glad to see the House Republicans recently offer policy positions on cybersecurity that match the efforts I have been pursuing with my colleagues in the Senate and White House.  I believe in a balanced approach of incentives and regulation, but certain sectors have not yet taken security seriously enough and need more federal oversight.  I am encouraged by the Republican task force’s findings and am hopeful that this will be an area where we can continue bipartisan efforts to move legislation before the end of the year.  However, we as policy makers must remain actively engaged in continuing to educate our colleagues and the public.
 
It is easy to look at a breach like Wikileaks, or to a lesser extent RSA, and understand how it can threaten our security.  But quantifying the impact of the economic damage done to our economy from continual, daily fraud and espionage is a much more difficult equation to comprehend.  Some say it will take a “Cyber 9/11” or “Digital Pearl Harbor” that inflicts severe damage to our power grid, water supply, or financial system to convince the public and the markets that cybersecurity is a worthwhile investment.  I have been fighting to make sure it does not take an emergency, but I fear we are running out of time.  Automated tools are lowering the bar for cyber mischief while the advanced actors are getting more creative every day.  We only have to look as far the new fascination in the hacktivist realm with the PLCs and SCADA systems that control our critical infrastructure or the recent revelations of intrusions among the energy sector, to guess the targets of future hacks.  Let us move with all haste to ensure we are ready for the coming storm.  Thank you for your time.