Last month Congressman Dan Lungren (R-Gold River), who is Chairman of the Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, was the keynote speaker at the California Information Security Forum at the Hyatt Regency in downtown Sacramento.
During the speech, Congressman Lungren shared his thoughts on the current state of cybersecurity, the important infrastructure we need to protect, and the legislative road ahead.
The following are excerpts from Lungren’s speech:
Thirty years ago, the concept of cyberwar was in the minds of only a few DOD researchers, academics and novelists. Today our economy is so digitally connected – computers, ipads, blackberries - that we struggle to protect our personal information, intellectual property and government secrets daily, from cyber theft. President Obama indicated the gravity of this threat when he stated recently in the WSJ, “attacks in cyber space pose the most serious economic and national security challenge America faces.”
The reason the President made this statement is that cyber attacks are growing more frequent, sophisticated, and dangerous. From 2009-2011 our nation experienced a twenty fold increase in cyber attacks which amounts to a cyber intrusion every 90 seconds.
This rapid growth of the cyber threat is enabled by the information revolution and our nation’s growing digital connectivity. The information revolution launched by the internet has reached into every corner of our lives. It provides users with many benefits while also exposing them to new risks from cybercriminals, spies and terrorists using the internet as a pathway to our personal bank accounts, intellectual property and even our critical infrastructure.
One of the most sophisticated cyber attacks we have identified is the “Stuxnet” malware which targets critical infrastructure. Stuxnet is an offensive cyber weapon designed to cause physical damage by interfering with a facility’s critical operations i.e., its control systems. If a terrorist or other adversary used Stuxnet malware to seize control of our dams, chemical or power plants, it could inflict massive death and destruction.
Stuxnet is a game changer. It raises the stakes in the war on terror by demonstrating how cyber attacks can destroy critical infrastructure, the backbone of our productive economy. I agree with President Obama that cyber attacks on critical infrastructure will impact our national and economic security, as well as jeopardize the health and safety of our citizens.
Public-Private Partnerships
Most of the critical infrastructure that our Nation depends upon is privately owned and operated. Currently, private industry is responsible for protecting its own assets from cyber attack on a voluntary basis. With the Government having access to intelligence not available in the private sector and the private sector knowing how their systems are configured and operated, the public-private partnership is the best way to improve our critical infrastructure cyber defense.
Federal policy recognizes the importance of the public-private partnership model to coordinate policy and information sharing including the dissemination of sensitive cyber threat information. A 2010 GAO report (July 15, 2010 GAO-10-628) concluded that this model needs improvement. Private sector partners complain that they get very little of what they need most, actionable threat information from the government. The reason usually given is that no secure mechanisms exist for sharing actionable threat information. The private sector also hesitates to share their proprietary information with the federal government for fear of public disclosure.
This inherent mistrust between government and the private sector must be overcome. A cybersecurity regulatory framework, however, is not conducive to a trusted partnership. It inhibits communication and stifles cooperation. The Government should facilitate, not mandate, cybersecurity improvements. This is why I strongly believe we should incentivize critical infrastructure owners to improve their cybersecurity practices rather than mandate those standards.