Cybersecurity law at risk of watering down

WASHINGTON, July 25 (UPI) -- Ambitious new U.S. legislation to fight cybercrime and cyberterrorism is at risk from revisions that may water it down so much that it is no longer effective, critics say.

The revised cybersecurity bill introduced in the U.S. Senate has drawn criticism for being too soft on the corporate sector, which is likely to be let off easily on what are basically compliance issues, analysts said.


In previous versions of the Cybersecurity Act, businesses and the corporate sector at large were put under various obligations to ensure security of their systems against cybercrime and cyberterrorism.

But Republican objections made those provisions unsustainable and further changes eliminated those clauses.

Security analysis and numerous expert assessments over the past two years have maintained that businesses that run the power grid, gas pipelines, water supply systems and other critical infrastructure elements are most at risk from hostile action aiming either to disable their computer systems or manipulate those systems with adverse outcome.


In earlier versions of the bill the corporate firms were required to meet certain levels of security and, failing that, were warned of penalties.

The lawmakers insist the bill can still be effective but critics within Congress and outside it say they aren't so sure.

In March, National Security Agency chief Gen. Keith Alexander warned Congress the law needed to have more clout because operators of critical infrastructures didn't follow even basic security procedures like updating software.

The U.S. Industrial Control System Cyber Emergency Response Team reported last month computer systems running critical infrastructures were hacked nearly 200 times -- more than four times the reported frequency of attacks recorded for 2010.

U.S. President Barack Obama said last week Congress must pass the bill to address cyberthreats to the country's infrastructure.

In an op-ed in The Wall Street Journal, Obama said "critical infrastructure networks" haven't been disrupted or damaged but "foreign governments, criminal syndicates and lone individuals are probing our financial, energy and public safety systems every day."

"Last year, a water plant in Texas disconnected its control system from the Internet after a hacker posted pictures of the facility's internal controls," he said. "More recently, hackers penetrated the networks of companies that operate our natural-gas pipelines. Computer systems in critical sectors of our economy -- including the nuclear and chemical industries -- are being increasingly targeted."


Obama said an adversary "in a future conflict" might compensate for battlefield military inferiority by exploiting "our computer vulnerabilities here at home."

"Taking down vital banking systems could trigger a financial crisis," the president said. "The lack of clean water or functioning hospitals could spark a public health emergency. And as we've seen in past blackouts, the loss of electricity can bring businesses, cities and entire regions to a standstill."

Obama said his administration has made cybersecurity a priority, "proposing legislation to strengthen our nation's digital defenses. It's why Congress must pass comprehensive cybersecurity legislation."

"We need to make it easier for the government to share threat information so critical-infrastructure companies are better prepared," he said. "We need to make it easier for these companies -- with reasonable liability protection -- to share data and information with government when they're attacked. And we need to make it easier for government, if asked, to help these companies prevent and recover from attacks."

While the cybersecurity bill awaits passage, some corporate initiatives are addressing the threat. Northrop Grumman and Areva Inc. announced they are working to provide cybersecurity support for U.S. nuclear facilities.

The companies said the pairing, in response to the U.S. Nuclear Regulatory Commission's call for cybersecurity protections, will combine Northrop's cybersecurity capabilities with Areva's extensive regulatory experience to help the industry meet the commission's regulatory requirements.


"Protecting the U.S. nuclear power infrastructure from exploitation and attacks of networks, systems, information and physical assets is an industry concern," said Tom Franch, senior vice president of reactors and services, Areva Inc.

This October will see the third annual observance of Cybersecurity Awareness Month.

Latest Headlines