A divided Congress confronts a rising cyberthreat

April 22, 2012 By RICHARD LARDNER and DONNA CASSATA , Associated Press
This Sept. 30, 2011 file photo shows a reflection of the Department of Homeland Security logo in the eyeglasses of a cybersecurity analyst at the watch and warning center of the Department of Homeland Security's secretive cyber defense facility in Idaho Falls, Idaho. The center is tasked with protecting the nation’s power, water and chemical plants, electrical grid and other facilities from cyber attacks. (AP Photo/Mark J. Terrill, File)

(AP) -- The mysterious caller claimed to be from Microsoft and offered step-by-step instructions to repair damage from a software virus. The electric power companies weren't falling for it.

The caller, who was never traced or identified, helpfully instructed the companies to enable specific features in their computers that actually would have created a trapdoor in their networks. That vulnerability would have allowed hackers to shut down a plant and thrown thousands of customers into the dark.

The power employees hung up on the caller and ignored the advice.

The incident from February, documented by one of the government's emergency cyber-response teams, shows the persistent threat of electronic attacks and intrusions that could disrupt the country's most critical industries.

The House this coming week will consider legislation to better defend these and other corporate networks from foreign governments, cybercriminals and . But deep divisions over how best to handle the growing problem mean that solutions are a long way off.

Chief among the disputes is the role of the government in protecting the private sector.

The U.S. Chamber of Commerce and other business groups oppose requiring cybersecurity standards. Rules imposed by Washington would increase their costs without reducing their risks, they say.

Obama administration officials and say companies that operate , communication systems, chemical facilities and more should have to meet performance standards to prove they can withstand attacks or recover quickly from them.

The rift echoes the heated debate in Washington over the scope of government and whether new regulations hamper private businesses.

Homeland Security Secretary Janet Napolitano said Friday that without standards for critical industries, there will be gaps that U.S. adversaries can exploit. "That system, which is mostly in private hands, needs to all come up to a certain baseline level," she said.

The proposed formation of a system that allows U.S. intelligence agencies and the private sector to share information about hackers and the techniques they use to control the inner workings of also is contentious.

Civil libertarians and privacy advocates worry that a bill written by the Republican chairman and top Democrat on the House intelligence committee would create a backdoor surveillance system by giving the secretive National Security Agency access to private sector data.

The agency, based at Fort Meade, Md., is in charge of gathering electronic intelligence from foreign governments but is barred from spying on Americans. Army Gen. Keith Alexander, the NSA's director, also heads the Pentagon's Cyber Command, which protects military networks.

"The question is whether this is a cybersecurity bill or an intelligence bill," said Leslie Harris, president of the nonprofit Center for Democracy and Technology. "There is just a fundamental debate over what role the National Security Agency should have in protecting civilian networks."

Intelligence agencies say the bill grants no new power to the NSA or the Defense Department to direct any public or private cybersecurity programs. But committee leaders said they are open to making changes to ease the privacy concerns as long as the alterations don't undermine the goals of the bill.

Businesses including Facebook and the Edison Electric Institute support the bill because it leaves it to individual companies and industries to decide how best to prevent attacks.

House Republicans last week scaled back a separate piece of legislation that would have given the Department of Homeland Security and other federal agencies responsibility for ensuring that critical industries met security performance standards. But those requirements were dropped from the bill during a meeting of the House Homeland Security Committee.

Rep. Jim Langevin, co-chairman of the Congressional Cybersecurity Caucus, said the bill was "gutted" because the House Republican leadership sided with business interests opposed to regulations. "We cannot depend on the good intentions of the owners and operators of infrastructure to secure our networks," said Langevin, D-R.I.

The GOP-led House appears to be heading for a showdown with the Democratic-run Senate over an approach on cybersecurity.

A bill sponsored by Sens. Joe Lieberman, I-Conn., and Susan Collins, R-Maine, would give Homeland Security the authority to establish set security standards. Their bill is backed by the Obama administration but it remains stalled in the Senate.

The legislation faces stiff opposition from senior Senate Republicans.

Arizona's John McCain, the top Republican on the Senate Armed Services Committee, said during a hearing last month that the Homeland Security Department is "probably the most inefficient bureaucracy that I have ever encountered" and is ill-equipped to determine how best to secure the nation's essential infrastructure. McCain has introduced a competing bill.

There is little disagreement over damage from cyberattacks.

China and Russia are the most proficient at cyber-espionage, according to U.S. officials who last year accused the two countries of being "aggressive and capable collectors of sensitive U.S. economic information and technologies."

Rear Adm. Samuel Cox, Cyber Command's director of intelligence, said U.S. adversaries are developing cyberweapons at a rapid pace. Unlike the traditional tools of war, there is no technological ceiling for cyberweapons that can cause computers to crash or become hijacked remotely and lead to serious economic damage.

"There is no end in sight," Cox said. "It's not like, `Well, they're going to reach a limit as to how bad these things could be.'"

If the House intelligence committee's bill becomes law, companies could get "cyberthreat" information and intelligence from the government that would allow them to identify hackers by their electronic signatures and Internet addresses. With that data, which is collected by the NSA, businesses could block attacks or stop them before they do serious damage. Companies would be encouraged to give the government information about attacks but there is no requirement to do so.

The bill would exempt companies that act "in good faith" from liabilities that might come from protecting their own networks or sharing information with the government.

But one expert on the computer systems that monitor and control power grids, oil refineries and chemical plants said critical industries won't provide federal agencies with much because they don't trust the government. Joe Weiss, a nuclear engineer and managing partner of the consulting firm Applied Control Solutions, said another catch is that few companies do the forensic work necessary to understand why a failure occurred and whether it was an attack or simply a software malfunction.

"What information are you going to share," Weiss said, "when you don't even know you've had a problem?"

Explore further: White House set to unveil cyber plan


Related Stories

White House set to unveil cyber plan

May 12, 2011

The White House on Thursday is expected to unveil its proposal to enhance the nation's cybersecurity, laying out plans to require industry to better protect systems that run critical infrastructure like the electrical grid, ...

US bill seeks to improve cyber information-sharing

November 30, 2011

A bill intended to increase sharing of information about cybersecurity threats between government and the private sector was introduced in the US House of Representatives on Wednesday.

US Senate in new cybersecurity push

February 15, 2012

US senators, warning of potentially catastrophic cyberattacks, introduced a bill Tuesday aimed at protecting critical infrastructure such as power, water and transportation systems.

Bigger US role against companies' cyberthreats?

February 6, 2012

(AP) -- A developing Senate plan that would bolster the government's ability to regulate the computer security of companies that run critical industries is drawing strong opposition from businesses that say it goes too far ...

Experts urge stronger online regulation bill

February 16, 2012

Cybersecurity experts urged senators Thursday to close loopholes in legislation to give the government more power to force critical industries to make their computer networks more secure.

White House unveils cybersecurity plan

May 12, 2011

Companies that run critical U.S. industries such as power plants would get government incentives to make sure their systems are secure from computer-based attacks, the White House said Thursday, detailing its broad proposal ...

Recommended for you

Forget oil, Russia goes crazy for cryptocurrency

August 16, 2017

Standing in a warehouse in a Moscow suburb, Dmitry Marinichev tries to speak over the deafening hum of hundreds of computers stacked on shelves hard at work mining for crypto money.

Researchers clarify mystery about proposed battery material

August 15, 2017

Battery researchers agree that one of the most promising possibilities for future battery technology is the lithium-air (or lithium-oxygen) battery, which could provide three times as much power for a given weight as today's ...

Signs of distracted driving—pounding heart, sweaty nose

August 15, 2017

Distracted driving—texting or absent-mindedness—claims thousands of lives a year. Researchers from the University of Houston and the Texas A&M Transportation Institute have produced an extensive dataset examining how ...


Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Apr 22, 2012
Why would Congress be the institution to address 'cyber' threats? What do those idiots know about anything; much less spamming spoofing and intricacies of IP v.6?
not rated yet Apr 22, 2012
DHS people don't know how to trace a call and catch this caller?
What? Its done everyday on NCIS TV shows.
not rated yet Apr 22, 2012
What's their problem with putting some regulations in place - taxation "hampers private business" all the time. Are the lawmakers going to stop taxing?
1 / 5 (1) Apr 22, 2012
you people have no understanding of cyber security and the complexity it involves. DHS cannot trace a call because of the regulations in place to protect privacy.
Congress has the NSA, The CIA, and many other government agencies that have a much more intricate understanding of how cyber-security works. If you don't understand yourself I'd keep your opinionated comments more passive aggressive to avoid looking foolish.
Cyber security is an ever increasing threat to everything that sustains america. The best way to stop the threat is to take control of all security measures. Both facebook and Google has asked the NSA for help in order to increase security. You do not have the background to make such comments.
Please research the material you comment on. After having spent many years investigating myself I found truths that I wish I could forget.

We are talking about a government that has illegally placed GPS tracking devices on those that would even speak out against current policy.
1 / 5 (1) Apr 23, 2012
@Righteousrob you people have no understanding of cyber security and the complexity it involves.
LOL the appeal-to-authority logical fallacy.

BTW you come off as just another police state idiot.
0.2 / 5 (36) Apr 23, 2012
Well, you see. Conservatives think the Internet is a series of tubes.

"What do those idiots know about anything" - Shootist


This is the guy the Republicans put in charge to regulate telecommunications.
not rated yet Apr 23, 2012
Is the focus on detecting incursions, preventing them, or determining their origin? Prevention should be paramount. Detecting incursions is just one technique to assist in prevention. And figuring out where they came from (i.e. country of origin) isn't that useful from the perspective of an attacked target.

Over a long term, it's hard for a company's top level executives to justify "wasting" money on security. Especially for something intangible, like loss of IP. Maybe the threat of prison time, or crippling fines would help. Just sharing data doesn't sound that useful.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.