President Barack Obama penned an op-ed in The Wall Street Journal published online late Thursday calling on the Senate to pass a new cybersecurity bill sponsored by Sen. Joseph Lieberman (I-CT) called the Cybersecurity Act of 2012.
The bill would provide legal immunity and a structured system for private companies and U.S. intelligence agencies to share information about national cyber threats.
But a range of cybersecurity experts agree that it in its current form, the bill won’t do much to protect the U.S. from the doomsday scenarios described as potential risks by the president in his op-ed and previously by top defense and intelligence officials.
Obama begins his op-ed calling for the bill’s passage with such a hypothetical national nightmare: A devestating cyber-attack on America’s infrastructure, which the president’s team used as an emergency response readiness drill.
Last month I convened an emergency meeting of my cabinet and top homeland security, intelligence and defense officials. Across the country trains had derailed, including one carrying industrial chemicals that exploded into a toxic cloud. Water treatment plants in several states had shut down, contaminating drinking water and causing Americans to fall ill…
Our nation, it appeared, was under cyber attack. Unknown hackers, perhaps a world away, had inserted malicious software into the computer networks of private-sector companies that operate most of our transportation, water and other critical infrastructure systems.
Obama then follows-up by describing several real world instances of less devastating cyber intrusions, including the November 2011 case when a hacker known as “pr0f” successfully accessed the control systems of several water treatment plants in South Houston, Texas, and posted photos of his work online, as well as a condemnation of the Department of Homeland Security for downplaying the issue of lax security on such pieces of critical infrastructure.
The president also pointed to a massive malware campaign targeting U.S. natural gas pipeline computers that the Department of Homeland Security said had been going on since at least December 2011.
But those incidents are pittance compared to attacks that are likely to be attempted in the near term, according to the president.
“In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home,” Obama writes.
Experts disagree on the likelihood of such attacks on American infrastructure control systems — also known as Supervisory Control And Data Acquisition systems, or SCADA — in the near future.
“What he’s talking about is pretty complex,” said Noah Shachtman, a non-resident fellow at think-tank the Brookings Institute and the founder of the Wired defense blog Danger Room. “We’ve certainly seen with Stuxnet that electronic attacks can have pretty severe real world consequences, but we also saw that you needed a number of original ways to break into computer networks in order to get to the controllers that ran the centrifuges at Natanz.”
Indeed, to Shachtman’s point, other security analyses of the Stuxnet malware, which is reported to have damaged up to 1,000 centrifuges at the Iranian nuclear facility in Natanz back in 2010, must have been physically carried by someone into the plant on an infected USB drive.
Jeffery Carr, founder of boutique cyberseurity firm Taia Global, disagrees that perpetrating such cyber strikes on the U.S. would be prohibitively difficult.
“You’d basically need one or more engineers with SCADA experience and moderate hacking skills,” Carr said. “The bar really isn’t all that high.”
Stuxnet and another malware campaign recently detected in Iran known as Flame are both reported to be the work of a joint U.S.-Israeli cyber espionage and attack effort aimed at undermining Iran’s nuclear program, according to articles in The New York Times and The Washington Post citing anonymous top officials.
On that subject, all security experts TPM spoke with agree that the one nation that almost certainly has the capability to carry out such a devastating attack.
“The U.S. could probably execute that scenario [described in the President’s op-ed] against another nation,” said James Lewis, director of the Technology and Public Policy Program at the Center For Strategic and International Studies, a foreign policy think tank.
“Could the National Security Agency do this for U.S. Cyber command? Sure,” Lewis continued. “But we’re not alone in that capability. There are three or four peers who could do it too, including Russia and China, and a lot of other countries are trying to acquire it. Iran and North Korea both have long programs to do just that.”
“I think that when top U.S. officials talk about these catastrophic cyber attacks, they’re talking about themselves,” Shachtman told TPM. “We’re only scared of what others might do because of what we’ve done.”
There’s another point where security experts seem to have broad agreement, and it doesn’t bode well for U.S. cybersecurity preparedness: That the new bill that Obama advocates on behalf of in his op-ed, the Cybersecurity Act of 2012, has been neutered to the point of ineffectuality.
Lieberman originally introduced the bill in February but the Senate has been slow to act on it, with Republicans critical of provisions that would give the Department of Homeland Security the power to require that so-called critical infrastructure operators — namely utilities companies — to put certain cybersecurity measures in place.
Now that power has been stripped from a new version of the bill introduced by Lieberman and his cosponors on Thursday.
“Even if Congress passes cyber security legislation, it won’t stop this threat,” Carr said. “That’s the real story. No one including the President has the political will to force privately owned companies to spend what’s needed to protect our critical infrastructure, even if that spending drives down profits for a short time. The current legislation is entirely on a voluntary basis, which is utterly useless.”
“It doesn’t give anyone any new authorities to do anything,” Lewis said. “Everything that’s in the bill, you could already do now.”
The Senate is expected to hold a vote on the bill in the coming days. The House has already passed alternate cybersecurity legislation, known as CISPA, which was criticized by advocacy groups for having the potential to infringe on Web users’ privacy and civil liberties. Both the Senate and the House have to pass the same bill and the president must sign it in order for it to become law.
