LulzSec’s string of cyber-attacks on government websites may not have given officials any laughs, but at least it taught them a lesson.
Senators and officials said Tuesday the recent security breaches –- including ones on Citibank and Bank of America, along with the attack on Google which originated from China –- underscore the importance of adopting more comprehensive cyber-security legislation.
Since April, big-name companies such as Lockheed Martin, Sony, the International Monetary Fund, and the CIA, as well as several U.S. Senate websites reported hacks and other cyber-intrusions, said Sen. Sheldon Whitehouse (D-R.I.), chairman of the Senate Judiciary Subcommittee on Crime and Terrorism, at a hearing Tuesday.
“Our increased connectivity allows criminals, terrorists and hostile nations to exploit cyberspace to attack America, invade our privacy, loot our intellectual property and expose America’s core infrastructure to cybersabotage,” he said.
In response to congressional concerns about America’s evolving cybersecurity needs, the Obama administration released a legislative proposal in May to standardize companies’ methods for reporting breaches and allow the Department of Homeland Security to expand its involvement in detecting and preventing cyber-attacks, as well as create and protect a yet-undefined group of “critical infrastructure” corporations.
“The main goal of this proposal is to maximize the country’s effectiveness in protecting security,” said Ari Schwartz, senior internet policy advisor at the National Institute of Standards and Technology at the U.S. Department of Commerce. (Two House members call for investigation of TSA)
Although officials agree that updated legislation on cybersecurity is necessary, some harbor concerns about whether parts of the administration’s legislation would give government too large a role in monitoring the nation’s cybersecurity in the public — and private — sectors.
The administration’s proposal would standardize reporting of cyberattacks, even though 47 states already have laws in place for reporting attacks. Marc Rotenberg, executive director of the Electronic Privacy Information Center, said he disagrees with that part of the proposal.
“It is also important for new rules not to impinge on the frameworks of laws that were already established,” he said.
Rotenberg said the center does not object to the Department of Homeland Security’s role as outlined in the administration’s proposal, but it would caution against government overreaching its bounds in cybersecurity protection.
Whitehouse also raised questions about the proposal – he asked how “critical infrastructure” would be defined and subsequently protected.
He suggested creating a secure government-monitored domain on which enterprises deemed “critical infrastructure” would be located, so those groups and other individuals would know if they were on the domain, the Department would be looking over their shoulder.
Legislators also acknowledged that the administration’s proposal, if adopted, would not be a cure-all for the growing problem of protecting Americans online.
“We’re not supposing that this proposal has the answers for everything for all time,” said Sen. Richard Blumenthal (D-Conn.).
Rotenberg said consumers of internet service providers have been experiencing more and more notifications of breaches and warnings about potential cyberattacks.
“We have a problem, and this problem is getting worse,” he said. “I don’t mean to suggest that passing legislation is going to solve it.”