When we hear that getting incentives right and letting the private sector lead or sharing more information will secure the nation, remember that we’ve spent 15 years proving this doesn’t work.

Some people say the threat is exaggerated. This is unfortunate. We are on course to repeat in cybersecurity the 9/11 error of ignoring risk.

_________________________________________________
This article was adapted from oral testimony delivered at a cybersecurity hearing Feb. 16 of the Senate Committee on Homeland Security and Governments Affairs Feb. 16.

_________________________________________________

The threat is real and growing. Military and intelligence services with advanced cyber capabilities can penetrate corporate networks with ease, cybercriminals and government-sponsored hackers routinely penetrate corporate networks, and new attackers, ranging from Iran and North Korea to a host of anti-government groups are steadily increasing their skills.

A bill without critical infrastructure regulation is like a car without an engine… The alternative is to wait for the inevitable attack.”

The intersection of greatest risk and weakest authority is critical infrastructure. National security requires holding critical infrastructure to a higher standard than the market will produce.

This bill has many useful sections, on education, research, securing government networks, and international cooperation. They all deserve support. But the main event is regulating critical infrastructure for better cybersecurity. Without this, everything else is an ornament and America remains vulnerable. The low hanging fruit won’t make us safer, and a bill without critical infrastructure regulation is like a car without an engine.

There are all sorts of objections to moving ahead. We hear that innovation could be damaged, but well-designed regulation will increase innovation. Companies will innovate in making safer products. We’ve seen this with federal regulation of cars, airplanes, even as far back as steamboats.

Everyone agrees that we need to avoid burdensome regulation and focus new authorities on truly critical systems. The bill as drafted, takes a minimalist and innovative approach to regulation, based on commercial practices.

Many in Congress recognize the need for legislation. The Committee and others in the Senate and House deserve our thanks for taking up this onerous task.

But the battle has shifted. People will try to dilute legislation, put forward slogans instead of solutions, and write in loopholes. The goal should be to strengthen, not dilute.

Two problems need attention. The first is the threshold for designating controlled critical infrastructure. Cyber-attacks in the next few years won’t cause mass casualties. They will be targeted and precise. Set the threshold too high and we are simply telling attackers what infrastructure to hit.

The second is the carve-out for commercial information technology. It makes sense that industry does not want government telling them how to make products.

But a blanket exemption on services, maintenance, installation, and repair, would undo essential work started by the Bush Administration and leave the door open for a Stuxnet-like attack against America. Let’s drop them paragraphs (a) and (b) of Section 104 (b)(2) from the bill.

In any important legislation, there is a delicate balance between protecting the nation and minimizing burdens on our economy. Congress can find the balance that best serves the national interest by strengthening this bill. The alternative is to wait for the inevitable attack.

Dr. James A. Lewis is director and senior fellow, Technology and Public Policy Program, Center for Strategic and International Studies. A copy of his prepared testimony is available here.