America is under attack and the truth is, we aren’t doing enough to stop it. For all the fuss about national security in the last decade, we are forgetting the real threat isn’t only physical, but digital. 

This isn’t some far-off possibility and it is happening now. Key American computer networks are attacked thousands of times a day by state-sponsored hackers, foreign spies, criminal organizations, lone hackers and “hacktivists.” Cybersecurity organizations are also planning for future cyber attacks from terrorist organizations like Al Qaeda.

And it’s only going to get worse.  As our national and global economies become ever more intertwined with the Internet, cyber attackers are developing greater capabilities to attack high-value targets. From anywhere in the world, cyber attackers have the ability to disrupt America’s most vital systems, from electric power grids to financial markets. With sufficient ingenuity, cyber attacks could cause billions of dollars in damage and put thousands of lives in jeopardy.

Will it take a ‘Cyber 9/11’ before we finally realize the importance of protecting our digital resources?

Congress is currently debating what form national cybersecurity reform should take. In May, the U.S. House voted 229 to 186 for its National Defense Authorization Act, which includes several cybersecurity measures--largely taken from the House Committee-approved Federal Information Security Amendments Act of 2010. The National Defense Authorization Act is currently pending before the Senate. 

Meanwhile, the Senate is considering its own version of cybersecurity reform. Protecting Cyberspace as a National Asset Act of 2010', S.3480, creates an Office of Cyber Policy in the White House with a Director accountable to the public who can lead all federal cyberspace efforts and devise national cyberspace strategy.

The arguments in favor of cybersecurity reform can become very complicated and lost in the tangled web of the legal, governmental and political issues involved. But the steps to protect ourselves are pretty straightforward.

What key measures must the U.S. Congress pass into law in order to enact meaningful cybersecurity reform?

1. Create an Office of Cyberspace Policy in the Executive Office of the President run by a Senate-confirmed director, to advise the president on all cybersecurity matters. The director should oversee all federal cyberspace activities to ensure efficiency and coordination.

2. Strengthen the Department of Homeland Security by creating within it a National Center for Cyber security and Communications (NCCC). It would lead federal efforts to protect public and private sector cyber and communications networks.

3.  Modernize FISMA (Federal Information Security Management Act) by moving away from “after-the-fact” paperwork compliance to real-time monitoring of threats.

4. Establish new security requirements for the nation’s most critical infrastructure networks.

5. Require critical infrastructure providers to report breaches.

6. Grant the president new emergency powers to protect the nation’s most critical infrastructure systems if attacked. These new powers should not include the so-called “kill switch” authority over the Internet – nor should they enable new surveillance authority. Furthermore, these new powers should have limitations including: requiring Congressional notification prior to action, limit emergency responses to the least disruptive possible and terminate powers after 30 days unless an emergency extension is needed.

7. Protection against so-called “Manchurian Chips.” Supply chain risk management is critical and Congress must provide for better security, risk assessment and reporting of technology products purchased from private or overseas vendors.

8. Better training and recruitment of cybersecurity personnel.

What key mistake could undermine national cybersecurity reform?

The biggest mistake Congress could make is to grant “kill switch” authority over the Internet.

There has to be a level of trust built among the key players in government, public/private industry, and academia. The government should not just step in and mandate policy and expect the process to work. Heavy-handed tactics will be met with resistance and contention. As vigilant as the government may want to be, it's well advised to partner with industry and academia.

Is it critical for the Cyabersecurity Czar to have budget authority?

Yes, but within reason - meaning, budgetary authority with congressional oversight and approval.

How does America's cybersecurity compare with other countries - particularly China, Russia and Iran?

The primary origins of cyber threats to the U.S. remain Russia, China, and terrorist organizations. Although Iran is often labeled a “cyber threat,” in reality it does not yet seem to possess the cyber capabilities, skills, or experience necessary to warrant it. The greatest cyber advantage of Russia and China is its wealth of human capital. Both nations have a very high education rate that, when combined with the legacy of emphasizing math and science education, has created a large labor pool of well-educated technology specialists, capable of sophisticated cyber attacks.

However, it is also important to note that Russia and China also consider us to be their primary cyber foe. In fact, statistics have shown that a disproportionate number of cyber attacks due indeed come from computer servers based in the U.S. 

 

Jay Bavisi is president and co-founder of the International Council of E-Commerce Consultants (EC-Council), a global organization that researches, consults and provides training on issues of e-commerce and cybersecurity. Jay is a regularly featured speaker at e-commerce and cybersecurity conferences in the U.S., Asia, Europe and the Middle East. 

Joseph M. Grimm is president of InnovaTech College of Business and Technology. He has spent over 22 years of military service with US Army Special Forces and has held leadership positions at all levels. He has served the nation in over 33 countries and the current President of North Carolina Association of Career Colleges and Schools.