Today Congressman Dan Lungren (R-Gold River), who is Chairman of the Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, was the keynote speaker at the CA Information Security Forum at the Hyatt Regency in downtown Sacramento.
During the speech, Congressman Lungren shared his thoughts on the current state of cybersecurity, the important infrastructure we need to protect, and the legislative road ahead.
The following are excerpts from Lungren's speech:
Thirty years ago, the concept of cyberwar was in the minds of only a few DOD researchers, academics and novelists. Today our economy is so digitally connected -- computers, ipads, blackberries - that we struggle to protect our personal information, intellectual property and government secrets daily, from cyber theft. President Obama indicated the gravity of this threat when he stated recently in the WSJ, "attacks in cyber space pose the most serious economic and national security challenge America faces".
The reason the President made this statement is that cyber attacks are growing more frequent, sophisticated, and dangerous. From 2009-2011 our nation experienced a twenty fold increase in cyber attacks which amounts to a cyber intrusion every 90 seconds.
This rapid growth of the cyber threat is enabled by the information revolution and our nation's growing digital connectivity. The information revolution launched by the internet has reached into every corner of our lives. It provides users with many benefits while also exposing them to new risks from cybercriminals, spies and terrorists using the internet as a pathway to our personal bank accounts, intellectual property and even our critical infrastructure.
One of the most sophisticated cyber attacks we have identified is the "Stuxnet" malware which targets critical infrastructure. Stuxnet is an offensive cyber weapon designed to cause physical damage by interfering with a facility's critical operations i.e., its control systems. If a terrorist or other adversary used Stuxnet malware to seize control of our dams, chemical or power plants, it could inflict massive death and destruction.
Stuxnet is a game changer. It raises the stakes in the war on terror by demonstrating how cyber attacks can destroy critical infrastructure, the backbone of our productive economy. I agree with President Obama that cyber attacks on critical infrastructure will impact our national and economic security, as well as jeopardize the health and safety of our citizens.
Most of the critical infrastructure that our Nation depends upon is privately owned and operated. Currently, private industry is responsible for protecting its own assets from cyber attack on a voluntary basis. With the Government having access to intelligence not available in the private sector and the private sector knowing how their systems are configured and operated, the public-private partnership is the best way to improve our critical infrastructure cyber defense.
Federal policy recognizes the importance of the public-private partnership model to coordinate policy and information sharing including the dissemination of sensitive cyber threat information. A 2010 GAO report (July 15, 2010 GAO-10-628) concluded that this model needs improvement. Private sector partners complain that they get very little of what they need most, actionable threat information from the government. The reason usually given is that no secure mechanisms exist for sharing actionable threat information. The private sector also hesitates to share their proprietary information with the federal government for fear of public disclosure.
This inherent mistrust between government and the private sector must be overcome. A cybersecurity regulatory framework, however, is not conducive to a trusted partnership. It inhibits communication and stifles cooperation. The Government should facilitate, not mandate, cybersecurity improvements. This is why I strongly believe we should incentivize critical infrastructure owners to improve their cybersecurity practices rather than mandate those standards.
Information sharing, specifically threat information, is critical to an effective cyber defense strategy. If you don't know the threat, it is difficult to defend against it. The more the cyber threat is understood, the better the private sector and the government can protect their networks.
I strongly support sharing as much actionable threat information with the private sector as possible. This was the focus of the legislation we passed in the House earlier this year and it is a critical first piece to an effective cyber defense.
What was missing in our House passed legislation was any effort to address the cyber vulnerabilities of our woefully under-protected critical infrastructure.
Some in Washington argued that sharing cyber threat information was sufficient to defend against cyber attacks. I don't agree and I'm not alone. General Keith Alexander, head of U.S. Cyber Command and NSA, stated earlier this year that while information sharing is important, it is not enough.
We also need to raise critical infrastructure cybersecurity standards, but this shouldn't be done by government mandate. Because the private sector has the knowledge and expertise of their own systems, we need their support and cooperation to raise cyber standards. In this instance, private sector cooperation is best achieved with business incentives, such as limiting liability, when standards are improved.
A good example of why we need to be concerned about cyber threats to critical infrastructure is our nation's electric grid, arguably the most critical of our nation's infrastructures. Our economy is dependent on the reliable supply of electric power. The East Coast black-out of 2003 demonstrates that dependence. While power was restored for the majority of those affected within 48 hours, the cost to our economy was between $6 and $10 Billion. The economic cost of a sustained power outage would be even more devastating.
The electric grid is one of the most complex networks ever engineered, capable of generating millions of watts of power, over hundreds of thousands of miles of transmission lines, to over 300 million people in North America. The grid is also resilient with power usually restored quickly after devastating storms and other disturbances.
Unfortunately, today's threats to the grid are no longer just storms, stray animals or petty vandalism. Along with the rest of our economy, the grid has become more dependent on computers and networks to reduce costs, and increase efficiency. These digital computer and network connections also increase the vulnerability of our technology infrastructure to malicious attacks.
The electric grid has not yet experienced wide-spread debilitating cyber-attacks. However, this good fortune may be short-lived unless cybersecurity vulnerabilities become a higher priority for the electric industry. This is especially true now that the traditional physical separation between a business's industrial control systems and their administrative networks is disappearing. As a digital economy, we must secure the integrity of our electric grid to sustain this nation's economic growth and national security.
Another target of cyber attack is our federal government networks. What should the proper role of government be in protecting our federal networks? I believe we need a governmental agency to be the operational leader in protecting our federal networks. We have a cyber coordinator in the White House but he focuses on policy rather than operations. The various governmental departments have individual responsibility for protecting their own networks but overall federal network security needs coordination. Unfortunately, no agency has yet been designated to protect our government communication systems and networks.
NSA can't perform this function as it is part of the U.S. Military's Cyber Command. The Department of Homeland Security has greatly improved its cyber capability and is the logical lead cybersecurity agency for federal networks (Gen. Alexander agrees).
Legislative Road Ahead
Because cyber attacks threaten all sectors of our economy, they touch the jurisdiction of multiple House and Senate Committees. This divided jurisdiction has made a comprehensive legislative solution very difficult.
As Chairman of the Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee of the Homeland Security Committee and in my role as Chairman of the Committee on House Administration, where I oversee the cybersecurity of the entire House IT network, I have a very strong interest in improving our nation's cyber defenses.
Information sharing between government and the private sector is a critical tool for identifying cyber risks and developing tailored cyber defenses. This spring the House passed cyber legislation which emphasized information sharing but failed to include a framework for protecting critical infrastructure.
While information sharing is important, I agree with General Alexander, head of U.S. Cyber Command, who believes that standards to protect critical infrastructure are as important as information sharing when defending against cyber attacks. As a result, I am co-sponsoring a bill in the House with Rep. Clarke my Subcommittee's Ranking Member (H.R.6221) which identifies the cyber risk to our numerous economic sectors. This is necessary to ensure that even if there are no standards in place if critical infrastructure owners and operators are made aware of the threats, they will do more to protect their substantial infrastructure investments.
The Lieberman-Collins compromise bill in the Senate creates a public-private partnership to set cyber security standards for critical infrastructure and offers immunity from liability to those who adopt them. It also permits information-sharing between the private sector and the federal government on threats, incidents and remedies.
Another group lead by Senator McCain is pushing for improved information sharing in the Senate, similar to the bill which passed in the House. Unfortunately, the Congressional calendar leaves little time to pass this important legislation and reconcile the differences.
I have always supported a strong collaborative cybersecurity partnership between government and the private sector. By building stronger cyber partnerships, we can better protect our cyber-reliant critical infrastructure and our economic prosperity and national security in the 21st century.