Cybersecurity strategy for nation: urgent need

To understand the urgency for a national cybersecurity strategy, you need only to know this: America’s cyberspace is under constant attack.

For years, an ever-changing cast of worms, viruses and malicious software has infected and disabled computers around the world and put sensitive data at risk aof loss, theft, or improper disclosure. Privacy breaches are a regular occurrence, with identity theft, stolen credit cards, and exposure of financial information.

{mosads}• Melissa Hathaway, acting senior director for cyberspace for both the National and Homeland Security Councils, tells of a recent incident in which, during one 30-minute period, 130 automatic teller machines in 49 cities around the world were emptied of their cash by cyber theft.

• The Wall Street Journal has reported that operational information for the Joint Strike Fighter, our advanced stealth-capable tactical air fighter, was breached, perhaps making it easier for our enemies to defend against it.

• And we’ve read media reports that severe vulnerabilities exist in our electricity grid, enabling foreign governments seeking to map our infrastructures to intrude on a very large scale.

Clearly, our defenses against cyber attacks and thefts are wholly inadequate. The Government Accountability Office and various inspectors general have been telling us as much for years. And the Center for Strategic and International Studies’ Commission on Cyber Security says weak security of cyber networks is one of the biggest national security vulnerabilities we face.

A coordinated and comprehensive strategy to better protect our cyberspace is long past due.

The Obama administration recently completed a 60-day review of federal cyber policy and structures, and I eagerly anticipate the report’s findings. Once the report’s recommendations are made public, I intend to draft bipartisan legislation to help close some of the gaps that our enemies — whether foreign governments, business competitors, criminal organizations or terrorists — have been able to exploit so easily.

In addition, House Homeland Security Committee chairman Bennie Thompson (D-Miss.), ranking member Peter King (R-N.Y.) and I introduced legislation last week to address critical security vulnerabilities in our electricity grid. The Critical Electric Infrastructure Protection Act of 2009 would give the Federal Energy Regulatory Commission (FERC) and the Department of Homeland Security (DHS) additional authorities to deal with cyber intrusions and attacks that could have a crippling impact on the operation of the grid.

{mosads}Our bill would allow FERC to address immediately an existing problem that DHS identified in 2007, known as the Aurora vulnerability. Aurora showed that bad actors could remotely destroy costly mechanical equipment, including large generators that are not easily replaced and without which the electric grid cannot function.

Immediate remediation is needed because all critical infrastructure sectors — every basic function of our society from our water and energy supplies to our communications and financial systems — are reliant upon electricity and if portions of the electric sector are disabled, the cascading affects could be catastrophic. I plan to mark this bill up soon in my committee and hope it becomes law without delay.

But we also need an overarching vision for safeguarding critical cyber networks and a comprehensive plan that lays out the responsibilities of each federal agency and the private sector, which owns most of the vast cyber infrastructures that support our way of life.

Many federal agencies have a stake in this plan, but DHS has unique statutory authorities to protect America’s non-defense governmental cyberspace and to coordinate security with the private sector.

Title II of the Homeland Security Act of 2002, for example, directs DHS to lead critical infrastructure protection efforts, which by definition include cybersecurity. The “National Strategy to Secure Cyberspace” released by President Bush in 2003 expands on DHS’s responsibility. And Homeland Security Presidential Directives 7 and 23 create a roadmap for agency responsibilities to protect critical infrastructure and implement the Comprehensive National Cybersecurity Initiative — which focuses on the protection of federal networks and makes clear that DHS is the lead agency for protecting all unclassified networks government and private.

The Department of Homeland Security has begun the serious task of protecting our cyber infrastructure. The Obama administration has now taken up the baton, and I look forward to hearing their ideas for carrying out this task. We have much work ahead of us, but if Congress, the administration and the private sector work in concert, we can put a clear structure into place that will help safeguard our cyber networks from catastrophic attack.

Lieberman chairs the Senate Homeland Security and Governmental Affairs Committee.