Is There A Role For Government In Cybersecurity?
TOM GJELTEN, HOST:
This is TALK OF THE NATION. I'm Tom Gjelten in Washington, sitting in today for Neal Conan. Imagine this: The president calls an emergency meeting of national security officials. He paints a bleak picture: across the country, trains have derailed, including one carrying industrial chemicals that explode into a toxic cloud.
Water treatment plants in several states have shut down, contaminating drinking water and causing Americans to fall ill. That was the scenario President Obama himself laid out in a Wall Street Journal op-ed last month. He was describing a simulation exercise his administration designed to help agencies test their cyber-crisis readiness. His point: We're not ready.
General Keith Alexander, head of the U.S. Military Cyber Command, says computer attacks on critical infrastructure facilities have increased 17-fold since 2009. On a scale of one to 10 on cybersecurity readiness, he says, the U.S. is stuck at three. Those warnings have been backed up by many other national security leaders but apparently to no avail.
A cybersecurity bill designed to beef-up critical infrastructure security failed last week in the Senate, blocked by senators who say the bill introduced too much government regulation of private industry.
If you run a business that would have been affected by this legislation, we want to hear from you. What role, if any, should government play in your cybersecurity readiness? Our number is 800-989-8255. Our email address is firstname.lastname@example.org. And you can also join the conversation on our website. Go to npr.org, and click on TALK OF THE NATION.
Later in the program, NPR's Lourdes Garcia-Navarro and Leila Fadel join us for an update on the recent attack in Sinai. But first, Ken Dilanian is the national security correspondent for the L.A. Times. He's been covering the political debate surrounding the failed cybersecurity bill, and he joins us now in Studio 3A. Welcome, Ken.
KEN DILANIAN: Thanks for having me, Tom.
GJELTEN: So Ken, let's first remind people what cybersecurity means. What is the security threat that we're really talking about here?
DILANIAN: And it's not an easy a question as you might think, Tom. I mean, really my sense of it is there's three buckets of threats that are separate, but there's overlap between the three. There's sort of - there's cyber crime, which is - can be identity theft or stolen credit card numbers, and that can get pretty organized and transnational, and a lot of intelligence officials will tell you Russian criminal groups, Eastern European criminal groups are carrying that out.
There's cyber espionage, which can be - which is often perpetrated by nation-states, China being the chief culprit according to the intelligence agencies, where the intelligence agency is directing its resources at stealing intellectual property from the West, from America, from U.S. companies. And Keith Alexander has called that the greatest transfer of wealth in U.S. history.
And then there's this third category that you just talked about, which is more speculative. It's what I would call, maybe, cyber acts of war, attacks against critical infrastructure that could cause physical destruction, casualties. Alexander last week in a speech in Aspen said those kind of attacks are coming, he believes.
But a lot of people are not convinced, including, maybe, some corporate CEOs.
GJELTEN: And that's - that would be also cyber terrorism, for example. If somebody really wanted to do damage, not just steal something but really do damage to America, that would be a really effective way to go about it, theoretically, right?
DILANIAN: Exactly, and it's more than theoretical. I mean, as you know, you've done some terrific reporting on this for NPR...
DILANIAN: There are - you know, the U.S. has proven in a lab that it could explode a diesel generator in something called the Aurora project.
GJELTEN: By sending a computer instruction to do just that.
DILANIAN: Exactly, through cyber means, and, you know, it's now been reported that Stuxnet was an attack, sponsored by the U.S. and Israel, a cyber attack that caused Iranian centrifuges to spin in a way that would destroy them.
GJELTEN: Yeah, and this cybersecurity legislative proposal, the Cybersecurity Act of 2012, was really addressed at this third category of attacks. I mean, it really wasn't focused on crime or espionage; it was focused on protecting the nation's infrastructure, right?
DILANIAN: Well, I don't know. I think it was sold that way because that's the sexy - that's the thing that gets people's attention. But I think the espionage piece was as big a part of it. There were two major aspects to this bill. There was a standard aspect that would create - first it was mandatory, then it scaled back to voluntary standards to shore up networks for these critical infrastructure companies.
There was also an information-sharing provision, though, that would have allowed the government to share classified information with companies and companies to share certain data with the government. And that, you know, intelligence officials have said, would allow them to better stop even the cyber espionage kind of attack.
GJELTEN: And what was the history of this? I mean, the administration, I remember, put forward its own legislative proposal more than a year ago. There's already been a bill passed in the House. What's been the evolution of the legislative thinking and the legislative action in this area?
DILANIAN: Right, the administration did put out a proposal that did track pretty closely with what ended up being the Senate proposal. The House, which is controlled by the Republicans, passed a bill that was information-sharing only. You know, they're - no regulation at all. And this issue has really run into sort of the anti-regulatory wave in the Republican Party and the business community even when the regulation became voluntary.
So that's how it evolved. You know, the Senate bill started out with mandatory provisions. It wasn't like the government was going to say these are the standards, though. There were going to be industry groups that would get together and craft standards that everyone could agree on to improve network security.
GJELTEN: But those companies would then be forced to comply with those security standards.
DILANIAN: That was the original Senate proposal. But then realizing that it wasn't going to get any Republican support, its backers scaled it back and said OK, we'll make these standards voluntary. But even that was - that could not get the support of the U.S. Chamber of Commerce or most Republicans in the end.
GJELTEN: Most Republicans, and what was the - what was the nature of the debate? Was it a vigorous debate in the Senate over this? Did it sort of line up along kind of traditional partisan lines?
DILANIAN: It struck me - it was a vigorous debate, but it also was the kind of debate where senators were making speeches on other issues, too. So it almost - they were going through the motions, in some sense, knowing it wasn't going to pass. But the Republicans stuck to the line of, you know, this is big-government regulation, we don't - the government - and the intellectual argument for this is technology standards are changing so fast, you can't set up a regulation that's going to adequately capture and protect what's happening in the industry.
GJELTEN: Now one other thing, Ken, we've been talking about the big business versus security debate here, but there is also a privacy issue, because we're talking here about the government getting information or having access to information for the benefit of promoting cybersecurity, and that did raise some privacy issues for people, didn't it?
DILANIAN: It absolutely did, and in fact the House bill, as it stood, was opposed by the White House on those grounds, and the White House and privacy groups argued that it was sharing too much information with the government. The Senate negotiated with privacy groups like the ACLU and the Center for Democracy and Technology and got their acquiescence to - and part of it was agreeing that DHS, rather than the National Security Agency, which is the Pentagon's spying arm, after all, would be the entity that would receive the shared information.
GJELTEN: And what is the - I mean, we talked about General Alexander and other national security leaders who are not political at all endorsing this legislation, saying it's key to U.S. national security. What's been the Romney campaign's view of this issue?
DILANIAN: You know, I have not heard the Romney campaign express a view. Senators who are supporting Romney opposed this legislation and, you know, privately Republican aides said hey, Alexander's a sitting member of the Obama administration, what do you expect him to say, which - it was sort of extraordinary.
But, you know, there are some former officials who are backing Romney, like Mike Chertoff, a former Homeland Security secretary, who endorsed this bill wholeheartedly.
GJELTEN: And what are we going to see next? I mean, Congress is in recess now, but I'm assuming there'll be more legislative activity on this front.
DILANIAN: There may be an attempt at a compromise, and there may also - there's talk of the White House trying to do some of this with an executive order, although they were unwilling today to say whether they would do that.
GJELTEN: Good enough. All right, thanks very much for the update. Ken Dilanian is the national security correspondent for the L.A. Times. He joined us here in Studio 3A. Thanks for being with us, Ken.
DILANIAN: Thanks for having me, Tom.
GJELTEN: And now, Ken mentioned the opposition that this proposal has encountered from the business community, and with us now is Larry Clinton. He's president of the Internet Security Alliance, which is a trade group that focuses on cybersecurity. He joins us today from member station WMFE in Orlando. Hello, Larry.
LARRY CLINTON: Hi, Tom, pleasure to be with you.
GJELTEN: Pleasure to be with you. So we've spoken in the past, Larry, and you have shared with us some of the concerns that you have, that you have had about these cybersecurity proposals. How did you and your group feel about this last proposal in its modified form, which did, as Ken Dilanian said, include some compromises?
CLINTON: We wrote a letter to the Senate saying that we thought that this proposal definitely was moving in the right direction. I think that Ken's description that mandatory standards set by the government probably just don't work in as dynamic and fast-moving a space as cybersecurity.
So what we have, at the Internet Security Alliance, always maintained is that we need to shift to a more modern approach to cybersecurity where we would infuse the market with the sorts of incentives that would help the private sector develop and input these improved security devices, and that's actually what we saw with the latest provision.
And it wasn't just the Republicans who were pushing in this way. There was a bipartisan group of moderate liberal Democrats - people like Senator Whitehouse and Senator Blumenthal and Senator Coombs from Delaware - all of whom were saying we have to move away from this government-centric regulatory model and move towards a more incentive-based model, and I think that's where we'll probably pick up probably in the next Congress on this.
One other point I want to mention really quickly, and Ken is exactly right about this, there's actually lots of provisions of the cybersecurity bill, not just information sharing but so called FISMA reforms that deal with federal networks, education awareness programs. There's a whole bunch of really good legislation that is embraced by the business community, embraced by Democrats, embraced by Republicans.
We could pass all of that right now. It's just being held hostage to this idea that the federal government should be setting the standards.
GJELTEN: And - but just to make this clear, Larry, your organization did urge lawmakers to reject this latest proposal?
CLINTON: Yeah, we said that this proposal should be referred back to the committees of jurisdiction. No one had seen this latest proposal until the very last week of July, as Congress was ready to go out for their August recess. We had never seen the language at all, never been subject of any Senate hearing or gone through any committee for a markup.
As we said, we thought this was moving in the right direction, but there were a lot of questions that were unanswered by this. How do we set up the economics so that we have the financing to upgrade the SCADA systems - the so-called SCADA systems - that are used to protect our critical infrastructure? What's the menu of incentives we need to put in place to overcome some of the economic issues so that we can do this on a sustainable basis.
CLINTON: Those questions need to be developed and answered, and that's what we said.
GJELTEN: OK, Larry Clinton is president of the Internet Security Alliance. Later in the program, we're going to hear from James Lewis, who says Capitol Hill politicking is undermining cybersecurity. We're talking about how to keep plants, factories and businesses that provide critical services safe from hackers. Stay with us. I'm Tom Gjelten. This is TALK OF THE NATION from NPR News.
(SOUNDBITE OF MUSIC)
GJELTEN: This is TALK OF THE NATION. I'm Tom Gjelten. Government intervention in private enterprise has always been a sensitive issue, and when it comes to the businesses that manage the country's critical infrastructure, the power grid, the water system, the telecommunications system, the challenge is all the greater.
Everyone agrees these critical facilities need to be protected from computer attacks. The question is how. Government regulation or market incentives? That's the big debate. A recent Senate legislative proposal to protect the power and water systems and other industries from cyber-attack, the Cybersecurity Act of 2012, failed. It laid out some security standards for businesses to meet.
If you run a business that would be affected by legislation like that, we want to know what role do you think government should play in your cybersecurity readiness. Give us a call, 800-989-8255. Or email us, email@example.com. Larry Clinton is my guest. He's president of the Internet Security Alliance, a trade group that favors market forces over government regulation as the best way to protect critical infrastructure.
In a few minutes, an opposing view from James Lewis from the Center for Strategic and International Studies, but first, Larry, as Ken Dilanian said earlier in the program, you were opposed, and all of you who were critical of this last proposal were opposed by quite an impressive group of national security leaders, including General Alexander, head of the Cyber Command, including the director of national intelligence, including some former officials in the Bush administration. How is to be arrayed against all these national security luminaries on an issue of such importance like this?
CLINTON: I'm glad you asked this, Tom. First of all, the Internet Security Alliance was created 12 years ago. Our sole mission is to enhance our nation's cybersecurity. So we've been campaigning for this for over a decade. I have to push back a little bit, I'm afraid, on this notion that we are arrayed against all the security people. Let me point out two quick things.
One, the gentleman who led the opposition to this bill in the Senate is an individual named John McCain. Now, everyone, regardless of your political stripe, in this country knows John McCain would do anything that he thought was appropriate to enhance our nation's cybersecurity. He will go against the business community; he's proven he's done it. He'll go against his own party, he's done it. He'll put his own life on the line if he feels it's in the interest of cybersecurity.
Senator McCain and all of his colleagues were against this bill because it was anti-security. What this bill did - yes, there was consultation initially, in the early stages of the bill, with the private sector, but then it turned over the final decision as to where the - what the standards and practices would be to a group of political appointees, people like the secretary of commerce and secretary of DHS who had no real knowledge of cybersecurity.
As Ken pointed out in the first segment, we have had a tremendous increase in critical infrastructure cyberattacks, 17 times according to General Alexander in the last couple years, and we've never had any of these catastrophes that are alluded to in the president's op-ed.
GJELTEN: So Larry, do you think this is - these guys are being alarmist? Do you think this threat is sort of overhyped?
CLINTON: I was disturbed by some of the rhetoric on the Senate floor. My guess is that some of the things that was being said on the Senate floor went beyond what the actual briefings were, and I thought that that was counterproductive.
The people who have been fighting this, the generals in the field of cybersecurity, are the people in the private sector, critical infrastructure, who are fighting these attacks on a daily basis. These are the people who need to be making the final decisions with regard to security standards and practices, not a group of political appointees.
Now, if we can evolve a system that does that and provides them with the tools, both technical and economic - and Jim Lewis is going to be on in a couple minutes, a study that his own organization, CSIS, did a couple years ago said the principal problem with cybersecurity in critical infrastructure is not technical, it is cost. And the Senate bill did nothing to address the fundamental cost issues that we have to deal with here.
And that's what the IS Alliance has said we need to do. We need to include both the technology but also the economics of cybersecurity because unless we do it on that basis, no system is going to be sustainable.
GJELTEN: All right, Larry. You know, one of the analogies that's made in this regard is the standard that all car manufacturers have to include seatbelts for the purpose of safety. Now, manufacturers weren't doing that on their own. It took a sort of a regulation to ensure that seatbelts are included in all cars. What's the - you know, why isn't there sort of an argument here for a similar standard to be applied against industries that hold the nation's infrastructure in their hands?
CLINTON: There is no analogy whatsoever between seatbelts and cybersecurity. Seatbelts technology hasn't change in 30 years. Cybersecurity technology changes constantly. The problem with seatbelts and car design in the '60s is that the cars weren't designed properly. The problem with cybersecurity is that - it's not the systems aren't designed properly, it's that they are under attack. They're under attack because all of the incentives favor the attackers.
Attacks are cheap, easy and profitable. Defense is a generation behind the attacker. You can't show return on investment to what you've prevented, and frankly law enforcement's virtually nonexistent. What we have to do is alter the incentive models.
If you come up with a cybersecurity standard, a seatbelt standard, if you will, for cybersecurity, it will be outmoded before it is - before the ink is dry on the paper. The attackers will look at it, and we've now given them exactly the target to attack. We need a much different model.
Digitalization changes everything. We need to invest our new system, our digital systems with the appropriate economics to generate increased security. Currently, all the economics motivate lack of security: cloud computing, mobile devices, these long international supply chains. Organizations, including the federal government, use these because they are so economically compelling. But they make the systems much less secure, so while we do need to deal with the technology, we also need to deal with the economics.
GJELTEN: Let's bring some listeners into the conversation now, Larry. First, Mick(ph) is on the line. I think, Mick, you're calling us from Columbus, Ohio. Good afternoon, welcome to TALK OF THE NATION.
MICK: Hi, thanks. One of the things that I'm greatly concerned about is not an economics and cost issue. I'm a security researcher. I've worked for top five financial institutions. The problem that I have with the federal government is they will have no problem asking us for evidence of cyber-attacks, of different nefarious things that people are doing, and we will gladly hand over relevant log information, but then we never hear from them.
And when we do ask for information with - regarding, you know, pending threats and what's out there on the landscape, we get only the vaguest of responses. We need to get more granular information, get actionable information and have it be a two-way street.
Currently, the government is like a black hole with that sort of stuff, and I'd love to hear your talk on that.
GJELTEN: OK, quick answer, Larry, and then we're going to give the ball to Jim Lewis.
CLINTON: He's absolutely right. The so-called public-private partnership has been primarily a one-way partnership where the federal government asks and is not giving back. Now, we're pretty encouraged by some of the new people over at DHS that they seem to be waking up to this, but absolutely correct, we do not get actionable information. We don't get timely information. We give, we do not receive back on the private sector, and that must be rectified.
GJELTEN: OK, Larry Clinton, president of the Internet Security Alliance, he joined us from member station WMFE in Orlando. Thank you very much, Larry, for joining TALK OF THE NATION.
CLINTON: My pleasure, Tom.
GJELTEN: And now we turn to James Lewis, he's the director of the Technology and Public Policy Program at the Center for Strategic and International Studies. Welcome to TALK OF THE NATION, Jim.
JAMES LEWIS: Thanks very much for having me.
GJELTEN: So I don't know if you - how much have you heard of Larry Clinton's explanation for why his organization and companies, like-minded companies oppose this proposal. You've been following this legislative debate, the activity around cybersecurity for a long time. What's your feeling this week, a week after this latest, watered-down bill failed to pass the Senate?
LEWIS: Yeah, is anybody surprised that this Congress couldn't deliver anything? Well, it's upsetting, of course, because the implications are if they can't deliver on something as basic as this, what about budget or any of the other big issues we face? You've heard a lot of excuses as to why this wasn't a good bill. Most of them were just, you know, made up to block doing anything. And that's kind of where we are at the moment. We don't want to do anything.
GJELTEN: Well, let's just talk for a minute about this, what seems to be the big issue here, at least as explained by Larry Clinton, and he says that, you know, you're requiring companies to do things, you're putting in place a kind of a compliance mentality, and you're not providing market incentives to get companies to do the right thing.
LEWIS: Well, unfortunately, that's wrong on two counts. This isn't a compliance mentality. It set performance standards, outcomes, and said here are things that you need to do to make your network more secure. We don't care how you do them. We just want you to certify once year that you've done something. And the second one is incentives. At the end of the day, there's only one kind of incentive, and that's money, right? And I don't know if we need to say tax breaks or direct cash payments or cost recoupment, but that's the kind of thing we're talking about is for companies to do what needs to be done to make America safer. We're going to have to pay them.
And I'm not entirely comfortable with that, because I'm not clear to me - it's not clear to me that we're talking about much of an additional expense. The standards are there. They're in the bill. This wouldn't have been hard to do.
GJELTEN: Well, Jim, what is the vulnerability of the American companies that - that provide the critical infrastructure, services and assets in this country? How vulnerable are they to cyber attack, and how much of a difference would forcing them to adhere to certain standards really make?
LEWIS: You know, we don't have a good handle on that because companies don't admit when they're hacked. We do know that most of the companies that have been looked at turned out to be vulnerable to disruption, but you could easily have someone, you know, at some time soon - and we don't know when - turn off electrical power, disrupt the water supply. The potential for disruption is growing, and we don't have a good handle on it. People are not doing the right things when they're inspected, and that's why there's a vulnerability.
GJELTEN: Well, you say people are not doing the right things when they're inspected. Just elaborate on what you mean by that.
LEWIS: Well, DHS has something called the Industrial Control Systems CERT, and they've looked at a number of critical infrastructure companies. In every one, you know, no company is deliberately doing the wrong things, but what you find is since they don't have a good idea of what the standards are, since they don't make cyber security a priority, you can find vulnerabilities in almost every one we looked at; even simple things like do you have your wireless networks connected to your control systems? Do you still rely on passwords? There's a lot of things we could do that aren't being done, and that's where we're getting stuck.
GJELTEN: Stay on the line for a couple more minutes, Jim. I want to go now to our listeners. Miguel is calling us from Denver, Colorado. Miguel, welcome to TALK OF THE NATION. Your comment or question?
MIGUEL: Good afternoon. I've been building automated machinery for about 15 years, and I don't think people really understand how broad an impact this has on our world. You know, everything from our generators, you know, right down to machinery that, you know, unloads plastic parts are all controlled by these controllers. And it's not uncommon at all in our industry for us to log in from a remote location and operate that machinery. And in the case of something, for instance, like, you know, a generator or a power grid, I can flip a valve and shut it down or blow it up.
And there is no real emphasis on the security. You know, as a matter of reference, all of our prisons are controlled by these, you know, by PLCs. And if somebody knew what they were doing, it would be really not a problem at all to go open all the cells.
GJELTEN: Well, Miguel, what you're talking about is exactly the kind of problem that Jim Lewis and others have called attention to, and it's, I guess, really underscores the need for some kind of cyber security proposal. That's what we're talking about. You're listening to TALK OF THE NATION from NPR News. So I do need to get you, Jim, to deal with this issue. Now, Miguel certainly raised the point that this is a serious concern and a real danger, but we've also heard that there's been a lot of hype, you know, some of these scenarios that are thrown out there about trains derailing and toxic clouds and things blowing up.
You know, there are a lot of people that say that, you know, that this is all hype. I recall a story not too long ago about a water system in Illinois that was supposedly, you know, attacked by somebody in Russia, and it turned out to be a bit of a false alarm. Didn't it, Jim?
LEWIS: Well, it turned out that that was exactly the sort of problem we're talking about. There is hype, no doubt about it. That water system wasn't hacked, but someone was able to call in from Russia and take control of that facility. That's not something you want to do, and that's a sign of weak authentication, of poor security. The idea that you could have someone call in from Russia - and by the way, the Russians probably recorded everything in that call, including the passwords - that doesn't make me feel comfortable about us being secure.
GJELTEN: So you do feel and we're talking here - we're primarily talking about the prospect of an attack on infrastructure. Leaving aside everything that's going on in the espionage area, you do feel that the nation's infrastructure, at this current moment, could be attacked either by an adversary or by a terrorist group with devastating consequences? Let's get that clear.
LEWIS: Right now, there are several states, some of which that don't like us, that could disrupt critical infrastructure. And, you know, it's - people know what this is like. If you've lived through a blackout, if you saw the stock market disruption last week, that's the kind of thing we're talking about. The fact that it's not going to be catastrophic doesn't mean we should welcome it, however. One of the things that worries a lot of people is the growing capability of what we call non state actors, the terrorist groups, anarchists, you know, and the private hackers who have a grudge to launch these kinds of damaging attacks.
So one of the reasons we hope we could get legislation in place is that we could get ahead of the curve, and before we saw something bad happens make a reasonable effort to make our infrastructure more secure.
GJELTEN: Reasonable effort. What's the minimum that's required that you would support, Jim?
LEWIS: There's NSA, the National Security Agency, and NIST, the National Institutes of Standards and Technology, have come up with some basic standards, pretty simple stuff that are steps people can take that will reduce vulnerability in a measureable way. When I say measureable, we can count the success rate of opponents and the success rate falls by about 80 percent for penetration. So we know what to do. We're just not willing to do it.
GJELTEN: Very quickly, Jim, in what little time that remains here, is there something that the White House, that the federal government could do without congressional action to improve cyber security?
LEWIS: Yeah. One of the things that was funny about the last draft of the bill was it didn't give any new authority. It just said the agency should use their existing authorities to put in place mandatory standards for cyber security. Well, since there are no new authorities, you could do that now through an executive order. We know what to do. We even know how to do it. We just have to get somebody to say yes, make companies toe the line.
GJELTEN: OK. .Jim Lewis is the director of the Technology and Public Policy Program at the Center for Strategic and International Studies, a nonpartisan think tank. He's a big thinker, now an analyst on this cyber security issue. Thanks very much for joining us, Jim.
LEWIS: Thank you.
GJELTEN: And after a short break, we'll talk with our correspondents in Cairo and Tel Aviv about recent violence in Sinai and how it's affecting the region. Stay with us. I'm Tom Gjelten. This is TALK OF THE NATION from NPR News. Transcript provided by NPR, Copyright NPR.