Relentless assaults on America’s computer networks by China and other foreign governments, hackers and criminals have created an urgent need for safeguards to protect these vital systems. The question now is whether the Senate will provide them. Senator John McCain, a Republican of Arizona, and the Chamber of Commerce have already exacted compromises from sponsors of a reasonably strong bill, and are asking for more. Their demands should be resisted and the original bill approved by the Senate.
Officials and experts have warned about cybersecurity dangers for years; now the alarms are more insistent. On Thursday, Gen. Keith Alexander, the chief of the United States Cyber Command and the director of the National Security Agency, said intrusions against computers that run essential infrastructure increased 17-fold from 2009-11 and that it’s only a matter of time before an attack causes physical damage. He has also called the loss of industrial information and intellectual property through cyberespionage “the greatest transfer of wealth in history.”
American officials say businesses already lose billions of dollars annually. Hundreds of major companies, defense contractors and government agencies have been affected. Attacks on power plants, electric grids, refineries, transportation networks and water treatment systems present an even greater threat. Last year, there were at least 200 attempted or successful cyberattacks on those facilities.
Yet defenses are dangerously thin. On a scale of 1 to 10, General Alexander rated preparedness for a large-scale cyberattack — shutting down the stock exchange, for instance — as “around a 3.” That is why President Obama and others have argued for mandatory minimum standards that would require companies to share information and harden computer protections.
Bipartisan legislation drafted by Senator Joseph Lieberman, a Connecticut independent and the chairman of the homeland security committee, and Senator Susan Collins of Maine, the ranking Republican member, met that bar. But faced with strong opposition from Mr. McCain and the business community, the sponsors compromised. Under the revised bill, industry will develop the standards for addressing threats and compliance will be voluntary.
This has not satisfied Mr. McCain or the chamber, which insists the bill would still be too costly and cumbersome. Last year, a survey of more than 9,000 executives in more than 130 countries by the PricewaterhouseCoopers consulting firm found that only 13 percent of those polled had taken adequate defensive action against cyberthreats.
Not all companies share that aversion to the bill. Microsoft and Symantec, among others, have supported the original Lieberman-Collins legislation. And civil liberties groups say their earlier privacy concerns have been addressed. It’s time for the endless talk of cyberthreats to be met by action. The Lieberman-Collins bill should be voted by the Senate this week and then merged with the House version so a law can be enacted this year. If not, and a catastrophic cyberattack occurs, Americans will be justified in asking why their lawmakers, mired in election-year partisanship, failed to protect them.
Cybersecurity at Risk