Senators spar over cybersecurity
February 16th, 2012
08:22 PM ET

Senators spar over cybersecurity

By Suzanne Kelly

Senate members sparred Thursday over whether a new cybersecurity bill will effectively give the U.S. government and private security what it needs to defend itself against the dozens of attacks occurring daily on both government and private computer networks.

The Cybersecurity Act of 2012 proposes to house the government's cybersecurity headquarters within the Department of Homeland Security, which has already taken the lead among the government agencies on coordinating efforts to tackle sticky cybersecurity problems in cooperation with the National Security Agency.

Specifically, the act sets out guidelines for determining cybersecurity vulnerabilities, protecting and promoting innovation and encouraging companies to share information about cyberthreats, improving the security of the government's own cyber networks, and coordinating research and development while clarifying the roles of federal agencies.

Perhaps the most controversial effort of the Act is to establish a partnership between the government and the sector of private industry that controls "critical infrastructure" systems, such as the country's air traffic control system, water filtration facilities, banking systems and electrical grids.

Sen. John Rockefeller, D-West Virginia, perhaps made the most urgent case for passing the legislation saying U.S. citizens are at great risk and they don't even know it.

"It's hard to talk about this sometimes without seeming alarmist," said Rockefeller before detailing how the threat in the cyberworld could strike in the real one, using the example of a potential attack on the nation's air traffic control system.

"Cyberhackers can take that out. So the planes are literally flying in the dark and they will fly into each other and kill a lot of people," Rockefeller said.

Under the legislation, private companies that control such "critical infrastructures" would be identified the Department of Homeland Security and each individual company would be required to secure their own networks from cyberattack, and then "self-certify" in an effort to show the U.S. government it had complied. DHS would have the opportunity to spot check companies, and failure to secure could lead to civilian penalties. The voluntary nature of the bill is one of the criticisms.

Sen. John McCain of Arizona was one of seven Republican senators who sent a letter to the Senate leadership saying the bill had not been offered to other committees that should have a say in it. During Thursday's hearing, McCain talked about concerns on how the new measures would be paid for, and he expressed doubts about seating the department at what he referred to as the "regulatory leviathon at DHS."

"Given the serious national security and economic consequences of any legislation, it is imperative that the other committees of jurisdiction be given the opportunity to share the legislative outcome in a bipartisan manner," said McCain, who promised the introduction of an alternative bill on cybersecurity.

The chairman of the Homeland Security Committee, Sen. Joseph Lieberman of Connecticut, disagreed with McCain, saying that he had in fact reached out to all seven of the Republican senators who signed the letter and that everyone had the chance to work toward consensus.

"I'm sorry they haven't been engaged before and I'm glad they're gonna be engaged now," said Lieberman in a civil but tense exchange with McCain.

At a separate worldwide threats hearing earlier in the day, Director of National Intelligence James Clapper and Director of the Defense Intelligence Agency, Lt. General Ronald Burgess, both praised the bill and pressed lawmakers on the urgency of the threat.

Clapper listed counterterrorism, counterproliferation, cybersecurity and counterintelligence as the most pressing security concerns facing the intelligence community.

soundoff (27 Responses)
  1. Eren

    I would disagree that the splpuy chain terrorism is so unlikely as to be a myth. We might argue whether terrorism is the proper word It's already happened, though I can't go into it (but if you've been paying attention over the last few years and understand it when you see it ). Like stuxnet it's also a governmental thing, so perhaps gains its mythic status that way.However, as a more interesting possibility, we allow all kinds of software and hardware gladly into our lives on a daily basis. We also don't see particularly phased as a group when it's disclosed that personal information of one type or another is being farmed from our phones, computers, social networking sites, etc. A few people stand up and shout, but by and large everyone else just wants to get back to their Angry Birds game. It is not at all inconceivable that someone, terrorist or otherwise, will find a way to exploit that in a way we can't even guess at now. It's fair to say it hasn't really happened yet, but it's NOT fair to say it's a silly idea.

    April 4, 2012 at 6:56 am | Reply
  2. Alan Morris

    When the Stuxnet malware attacked the control systems of Iran’s nuclear enhancement plant in mid-2010, destroying 1,000 centrifuges, the attack was analyzed by top malware consultants, including Symantec in the US. Their reports are published on the web; ICS conferences are still being held to discuss Stuxnet. However, you will not read in the reports or hear at the conferences of the actual action that was taken by Stuxnet, the action that depended upon the write-always characteristic of the programmable memories of the PLCs (programmable logic controllers) of the control systems. These memories are identical to the reusable, rewriteable memories that are inserted into digital cameras. The Stuxnet malware corrupted the integrity of the programs stored on the PLCs’ memories. All PLCs that are in place in control systems, as well as all PLCs newly manufactured by ICS equipment vendors, have vulnerable write-always memories. ICS vendors, owners and operators remain unaware of, or purposely ignore, this crucial vulnerability
    The alternative memory has a write-once characteristic. This write-once characteristic is also that of music CDs and movie DVDs used by millions around the world.
    Programming stored on a write-once memory cannot be corrupted by malware; write-once memory is invulnerable.
    If these facts interest you, we will be pleased to send additional information. The Senate has just released its cybersecurity legislation, and it is our opinion that DHS should be made aware of these facts.

    February 19, 2012 at 11:02 pm | Reply
    • Michaels

      The solution of a, as you call it, "write once memory" may seen to provide the solution that you are capable of understanding. What your solution proposes is apparently beyond what you understand about the functionality of industrial control systems. The solution that you propose is the same as listening to a politicians speech during an election year. Nether they, nor you, sufficiently understand the subject of which they speak, yet they continue to say the words because the resulting noise sounds good to their own ears. My suggestion to you is to invest 25+ years in your topic, completely understand that which you speak, and then cautiously offer your opinion. You'll look much less like a political ass and you'll actually have something intelligent to say. Please keep your ignorant ass out of my profession unless you've got the experience necessary to design, program, troubleshoot, and successfully build the type of systems that you wish to attempt to control with your half baked ignorance!

      February 20, 2012 at 1:30 pm | Reply
  3. matt

    Why don't they bring in ACTUAL EXPERTS to design the bill instead of taking wild guesses as to what works and what doesn't? These people writing the bills have probably just finally figured out how to even turn on their computer, and have no business passing a law like this. This would cripple businesses like mine with endless analysis and maintenance that is nowhere near necessary to effectively protect your network.

    February 18, 2012 at 5:00 pm | Reply
  4. Clephas from Austin, TX

    Simplest and most sane decision would be to make a law requiring all vital infrastructure support systems to be cut off from access to the net entirely. While returning to such an analog system might seem necessarily costly, it will save us immense amounts in the long run on what would be needed to defend them from cyber attacks. However, people are addicted the conveniences of modern systems, and it is unlikely they would agree to such a measure.

    February 17, 2012 at 10:44 pm | Reply
  5. What Is

    Many countries can get together 200 or 300 of their smartest computer people and develop cyber warfare abilities. It can be an equalizer for smaller nations. 30 people to study military satellites, 30 people on civilian satellites, 30 people on military communications, 30 people for financial vulnerabilities, etc.

    One historic example is the breaking of the German codes in World War II, when the British assembled a group of people for one very important intelletual purpose.

    With the Stuxnet cyber-warfare virus, said to have been developed by Israel, it would seem that the war has already begun, but they may rue starting the precedent.

    February 17, 2012 at 11:22 am | Reply
  6. Tom

    Sad truth is that that the hackers are in our corporate and government networks. Meanwhile, the gop, instead of defending America from these advanced threats and attacks, would rather sit back and tell you to not get abortions. Besides, their idea of watch everyone in America is as much of a failure as the TSA is, treat everyone like criminals here when the real criminals are safe in their own country.

    February 17, 2012 at 10:15 am | Reply
  7. Hahahahahaha

    "Oh yeah senator, I just sent you a virus!!!"...."A virus huh..well I just sent you one too senator" Hahahahahahahahaha

    February 17, 2012 at 9:37 am | Reply
  8. michaelfury

    Neo: Why do my eyes hurt?

    Morpheus: You’ve never used them before.

    February 17, 2012 at 7:30 am | Reply
  9. michaelfury

    "Cyberhackers can take that out. So the planes are literally flying in the dark and they will fly into each other and kill a lot of people"

    You mean like this, Senator?

    February 17, 2012 at 7:28 am | Reply
  10. SilverHair


    February 17, 2012 at 7:18 am | Reply
  11. t. grey


    A BILL

    File Format: PDF/Adobe Acrobat
    (a) SHORT TITLE.—This Act may be cited as the. 4. "Cybersecurity Act of 2012". 5 . (b) TABLE OF CONTENTS.—The table of contents for. 6 this Act is as follows: ..

    February 17, 2012 at 2:49 am | Reply
    • Jonathan Pollard Soon to be FREE zionist Spy American born Traitor

      the dirty evil zionist listen in on every phone call made in the U.S. and you jerk-off worry about cybersecurity.

      It's too late.

      We're owned by the dirty evil zionists.

      Play it smart: keep your mouths shut and stay stupid.

      Stay in debt and when the call comes you send your children off to fight in the zionist wars in the middle east so they can die for the new world order – with the dirty evil zionists calling the shots.

      America is a terrorist state now and we are all slaves.

      Stay stupid, our zionist masters like their goyim dumb and dumber.

      February 17, 2012 at 6:36 am | Reply
      • byebye

        I hope that anger management classes are in your immediate future. Have a blessed day.

        February 17, 2012 at 8:11 pm |
  12. t. grey

    this is just another way of giving out politically favorate wallet filling jobs. It also..won't work
    we are the nintynine percent, we will not forget. Expect us

    February 17, 2012 at 2:41 am | Reply
  13. Attila, The Hun

    Oh this is just great all these disparate entities are going to self-certify and police themselves. You have got to be kidding!

    February 17, 2012 at 2:00 am | Reply
  14. J.V.Hodgson

    There has to be simple and easy way to exclude hackers from say AIR traffic systems. How about the whole system being on a central ATC server which has an encrypted daily random number changed access code.At the input end this is fed only to authorised terminals automatically each day
    The server does not let access into the system unless the terminal is identified and the encryption code passes anything outside that gets fried and deleted automatically. You can do to mainframes which contain the control programs running the same way with even higher levels restricted access. Other standard communication can go vis standard international ISP.
    A similar sterilisation of electricity supply systems from ISP to " in houseSP" should reduce risk substantially.

    February 16, 2012 at 11:56 pm | Reply
    • Attila, The Hun

      Yes, I'm sure none of the experts thought of this. None of these systems can be totally secured because humans are involved.

      February 17, 2012 at 2:03 am | Reply
  15. Jim

    I'm a democrat and cannot stand republicans but even I am beginning to worry that if more democrats were in charge bills such as ACTA and SOPA and that bullshit protect the children from porn bill would have passed by now. It's scary the bills hollywood is trying to shove through.

    February 16, 2012 at 11:18 pm | Reply
  16. BK

    The most successful attacks seem to all be in retaliations for legitamately annoying things that the government has done. Maybe the government should try not being evil so that hackivists would target other governments instead.

    I know, crazy idea.

    February 16, 2012 at 10:25 pm | Reply
    • Lord Neil

      They won't go after other countries, mainly because the countries will hunt them down and do away with them. We just send them to jail for a few years and then they get a movie deal.

      February 20, 2012 at 5:35 am | Reply
  17. mipolitic

    well we have to face threats with counter measures, in this field we will be viewed by the big brother safety net, so are we realy being snooped on, well who cares after all we are on a blog that is monitored. so if we do not conduct criminal activity and do not make threats against people , whats the big deal. as long as its not a witch hunt to silence people for their political views , and we all have seen some wierd things here. i say go for it big brother just do not abuse it.

    February 16, 2012 at 8:57 pm | Reply

    well, it will also go a long way in compating crime, in d country

    February 16, 2012 at 8:48 pm | Reply

Leave a Reply to BK


CNN welcomes a lively and courteous discussion as long as you follow the Rules of Conduct set forth in our Terms of Service. Comments are not pre-screened before they post. You agree that anything you post may be used, along with your name and profile picture, in accordance with our Privacy Policy and the license you have granted pursuant to our Terms of Service.