CQ

CQ WEEKLY – IN FOCUS
Dec. 22, 2011 – 11:07 a.m.

The Other Kind Of Cyberwar

By Tim Starks, CQ Staff

When denizens of the intelligence world talk about “cyberwar,” they are usually referring to disastrous attacks, by one nation against another’s computer networks, that could shut down power grids, disrupt the banking system, derail trains or blow up oil pipelines.


Story Photo
BILL PUSH: Even Intelligence panel Chairman Rogers is focusing more on the economic rationale for heightened cybersecurity. (TOM WILLIAMS / CQ ROLL CALL )
 

That was not the kind of cyberwarfare that Mike Rogers, chairman of the House Select Intelligence Committee, was talking about last month, when he delivered a speech on his new cybersecurity bill.

“There is an economic cyberwar going on today against U.S. companies,” the Michigan Republican said in remarks to the National Cable and Telecommunications Association. “Economic predators, including nation-states, are blatantly stealing business secrets and innovation from private companies.”

When John O. Brennan, the White House’s chief counterterrorism and homeland security adviser, briefed top senators in October on the cyberthreat, his opening statement was, “This is a jobs and economic issue,” according to James Lewis, the Center for Strategic and International Studies’ cybersecurity expert. And this month, even the House Small Business panel got involved, with a subcommittee hearing on a topic that previously had been addressed almost exclusively by panels with security jurisdiction.

The nature of the cyberthreat has never been either/or: Security professionals and policy makers have always viewed it as something that ranges from identity theft to catastrophic attacks against crucial infrastructure.

But as both the House and Senate prepare to take up cybersecurity legislation in early 2012, the economic impact of cyberattacks is increasingly the focus. That may help propel major legislation, which stalled this year, over the finish line. But with most of the nation’s digital infrastructure controlled by businesses, lawmakers will have to walk a fine line between acting strongly enough to limit the economic damage and going so far that companies fear they’ll incur significant new costs.

Increasingly, lawmakers are recognizing cybersecurity as an economic issue: “That message is starting to resonate,” says Cheri McGuire, vice president of global government affairs and cybersecurity policy at the computer-security company Symantec Corp.

Large-Scale Damage


Story Photo
Cybersecure Business: Click here to view chart
 

Estimating the total economic damage from cyberattacks is nearly impossible because many intrusions go undetected, and the real effect of those intrusions are difficult to calculate. On the high end, the computer-security company McAfee Inc. once estimated that those intrusions account for the theft of approximately $1 trillion in intellectual property (IP) annually. Lewis says he has seen some estimates closer to $25 billion, which he thinks is more likely. The intelligence community, meanwhile, will produce its own estimate in the coming months.

“Simply put, cyber IP theft means fewer American jobs,” says White House spokeswoman Caitlin Hayden. “But many cyber intrusions could be prevented by implementing sound cybersecurity practices.”

Cyberattacks can make headlines, though sporadically, because of their financial impact. McAfee in August revealed a series of attacks it had uncovered, dubbed “Operation Shady RAT,” that affected 72 organizations. “It was one of the most notable mass transfers of wealth via espionage in history,” says Phyllis A. Schneck, vice president of threat intelligence for the company, who testified before the House Small Business Subcommittee on Healthcare and Technology on behalf of the Software and Information Industry Association.

The Other Kind Of Cyberwar

Given the current economic climate, reports like that are catching the eyes of policy makers, resulting in increased attention to the economic aspects of cybersecurity.

Lewis says the new focus is the natural result of people becoming educated about the real, rather than theoretical, harm being done by cyberattacks.

“I think, first, you already had a fair number of folks saying it,” Lewis says. “The second thing is that, as people have paid more attention to this, it’s a more plausible argument than some of the ridiculous war scenarios.”

Over time, too, more people have been directly affected by cyberattacks. “Most Americans don’t necessarily have it as their No. 1 issue,” says Yvette D. Clarke of New York, the top Democrat on the House Homeland Security subcommittee on cybersecurity. “But when you become a victim of identity theft, you want to get to the bottom of how that could have happened.” One such watershed moment for broader cybersecurity awareness occurred in April, Lewis says, when a cyberattack affected 100 million Sony Playstation 3 user accounts worldwide.

Industry organizations such as the U.S. Chamber of Commerce have been the most powerful parties to seek congressional action on cybersecurity.

“There is a community out there in the world that tries, with great diligence, to undermine the economic viability of the American public through espionage,” Michael Powell, president of the National Cable and Telecommunications Association, said at the event where Rogers unveiled his cybersecurity bill.

Says McGuire of Symantec: “You’re hearing more from industry groups because they see firsthand the economic impacts of attacks on their systems.”

The Small Business Committee got involved partly because small businesses are, according to one study, the victims of nearly 40 percent of cyberattacks in the United States, and almost all businesses are increasingly reliant on the Internet for commerce.

Timing was another factor. The committee had been waiting for a House GOP cybersecurity task force to release its recommendations, and after it did so, in October, the Small Business panel and others responded with hearings.

Fighting Regulations

The House GOP task force called on Congress to avoid prescriptive cybersecurity regulations on businesses. Others have made similar recommendations. One reason is that the technology in the cyber realm evolves very quickly, and forceful mandates could swiftly become outdated. Another reason, though, is that strict regulation could be costly for businesses.

In the legislative arena so far, Congress’ proposals — and the White House’s legislative recommendations for Congress — have fallen along the continuum between “somewhat regulatory” and “purely voluntary.”

Overall, the emphasis has been on incentives for businesses, such as protections against lawsuits, to improve their cyber defenses and share information on cyberthreats with the federal government. Rogers’ bill, for instance, would establish procedures for businesses to receive classified information on cyberthreats but would not require them to share information in return. The White House’s legislative package contains a more prescriptive proposal, which requires owners of key crucial infrastructure to seek third-party audits of their cyber defenses.

The Other Kind Of Cyberwar

Business groups have praised the Rogers bill and have been critical of the White House proposal. But some security experts have deemed even the White House’s legislative package too watered-down; they partially blame industry-group lobbying.

“I would call this weak tea, except the tea bag doesn’t seem to have actually touched the water,” Stewart Baker, a partner at Steptoe & Johnson LLP and former assistant secretary for policy at the Homeland Security Department, said in May when the package was released. “The privacy and business groups that don’t want us to do anything serious about the cybersecurity crisis have captured yet another White House.”

Congress, Schneck says, will have to navigate a path between strong action and overreaction. “It’s always a difficult balance,” she says. “The hardest part of good cybersecurity — it’s not the technology but the business and policy.”

FOR FURTHER READING: The Rogers bill is HR 3523. Cybersecurity liability protections, CQ Weekly, p. 2256; cybersecurity incentives, p. 1730; Congress’ role in private sector, 2010 CQ Weekly, p. 1858.

© Congressional Quarterly, Inc. All Rights Reserved.
77 K Street N.E. | Washington, D.C. 20002-4681 | 202-650-6500
  • About CQ-Roll Call Group
  • Privacy Policy
  • Masthead
  • Terms & Conditions
Back to the Top