CQ WEEKLY – IN FOCUS
Dec. 22, 2011 – 11:07 a.m.
The Other Kind Of Cyberwar
By Tim Starks, CQ Staff
When denizens of the intelligence world talk about “cyberwar,” they are usually referring to disastrous attacks, by one nation against another’s computer networks, that could shut down power grids, disrupt the banking system, derail trains or blow up oil pipelines.
That was not the kind of cyberwarfare that
“There is an economic cyberwar going on today against U.S. companies,” the Michigan Republican said in remarks to the National Cable and Telecommunications Association. “Economic predators, including nation-states, are blatantly stealing business secrets and innovation from private companies.”
When John O. Brennan, the White House’s chief counterterrorism and homeland security adviser, briefed top senators in October on the cyberthreat, his opening statement was, “This is a jobs and economic issue,” according to James Lewis, the Center for Strategic and International Studies’ cybersecurity expert. And this month, even the House Small Business panel got involved, with a subcommittee hearing on a topic that previously had been addressed almost exclusively by panels with security jurisdiction.
The nature of the cyberthreat has never been either/or: Security professionals and policy makers have always viewed it as something that ranges from identity theft to catastrophic attacks against crucial infrastructure.
But as both the House and Senate prepare to take up cybersecurity legislation in early 2012, the economic impact of cyberattacks is increasingly the focus. That may help propel major legislation, which stalled this year, over the finish line. But with most of the nation’s digital infrastructure controlled by businesses, lawmakers will have to walk a fine line between acting strongly enough to limit the economic damage and going so far that companies fear they’ll incur significant new costs.
Increasingly, lawmakers are recognizing cybersecurity as an economic issue: “That message is starting to resonate,” says Cheri McGuire, vice president of global government affairs and cybersecurity policy at the computer-security company Symantec Corp.
Estimating the total economic damage from cyberattacks is nearly impossible because many intrusions go undetected, and the real effect of those intrusions are difficult to calculate. On the high end, the computer-security company McAfee Inc. once estimated that those intrusions account for the theft of approximately $1 trillion in intellectual property (IP) annually. Lewis says he has seen some estimates closer to $25 billion, which he thinks is more likely. The intelligence community, meanwhile, will produce its own estimate in the coming months.
“Simply put, cyber IP theft means fewer American jobs,” says White House spokeswoman Caitlin Hayden. “But many cyber intrusions could be prevented by implementing sound cybersecurity practices.”
Cyberattacks can make headlines, though sporadically, because of their financial impact. McAfee in August revealed a series of attacks it had uncovered, dubbed “Operation Shady RAT,” that affected 72 organizations. “It was one of the most notable mass transfers of wealth via espionage in history,” says Phyllis A. Schneck, vice president of threat intelligence for the company, who testified before the House Small Business Subcommittee on Healthcare and Technology on behalf of the Software and Information Industry Association.
The Other Kind Of Cyberwar
Given the current economic climate, reports like that are catching the eyes of policy makers, resulting in increased attention to the economic aspects of cybersecurity.
Lewis says the new focus is the natural result of people becoming educated about the real, rather than theoretical, harm being done by cyberattacks.
“I think, first, you already had a fair number of folks saying it,” Lewis says. “The second thing is that, as people have paid more attention to this, it’s a more plausible argument than some of the ridiculous war scenarios.”
Over time, too, more people have been directly affected by cyberattacks. “Most Americans don’t necessarily have it as their No. 1 issue,” says
Industry organizations such as the U.S. Chamber of Commerce have been the most powerful parties to seek congressional action on cybersecurity.
“There is a community out there in the world that tries, with great diligence, to undermine the economic viability of the American public through espionage,” Michael Powell, president of the National Cable and Telecommunications Association, said at the event where Rogers unveiled his cybersecurity bill.
Says McGuire of Symantec: “You’re hearing more from industry groups because they see firsthand the economic impacts of attacks on their systems.”
The Small Business Committee got involved partly because small businesses are, according to one study, the victims of nearly 40 percent of cyberattacks in the United States, and almost all businesses are increasingly reliant on the Internet for commerce.
Timing was another factor. The committee had been waiting for a House GOP cybersecurity task force to release its recommendations, and after it did so, in October, the Small Business panel and others responded with hearings.
The House GOP task force called on Congress to avoid prescriptive cybersecurity regulations on businesses. Others have made similar recommendations. One reason is that the technology in the cyber realm evolves very quickly, and forceful mandates could swiftly become outdated. Another reason, though, is that strict regulation could be costly for businesses.
In the legislative arena so far, Congress’ proposals — and the White House’s legislative recommendations for Congress — have fallen along the continuum between “somewhat regulatory” and “purely voluntary.”
Overall, the emphasis has been on incentives for businesses, such as protections against lawsuits, to improve their cyber defenses and share information on cyberthreats with the federal government. Rogers’ bill, for instance, would establish procedures for businesses to receive classified information on cyberthreats but would not require them to share information in return. The White House’s legislative package contains a more prescriptive proposal, which requires owners of key crucial infrastructure to seek third-party audits of their cyber defenses.
The Other Kind Of Cyberwar
Business groups have praised the Rogers bill and have been critical of the White House proposal. But some security experts have deemed even the White House’s legislative package too watered-down; they partially blame industry-group lobbying.
“I would call this weak tea, except the tea bag doesn’t seem to have actually touched the water,” Stewart Baker, a partner at Steptoe & Johnson LLP and former assistant secretary for policy at the Homeland Security Department, said in May when the package was released. “The privacy and business groups that don’t want us to do anything serious about the cybersecurity crisis have captured yet another White House.”
Congress, Schneck says, will have to navigate a path between strong action and overreaction. “It’s always a difficult balance,” she says. “The hardest part of good cybersecurity — it’s not the technology but the business and policy.”
FOR FURTHER READING:
The Rogers bill is