Lawmakers: U.S., DOD still not taking cybersecurity seriously
By KEVIN BARON | STARS AND STRIPES Published: February 11, 2011
WASHINGTON — The U.S. still is not well equipped to respond to cyberwarfare attacks and is not taking the threat seriously enough.
That is the blunt assessment of two key congressmen charged with overseeing the Defense Department’s efforts to protect U.S. computer systems, setting a tone likely to undergird cybersecurity discussions on Capitol Hill the rest of the year.
In Congress, the legislative calendar is under way picking up last year’s unfinished business of determining who in the federal government is in charge of the various cyberwarfare responsibilities.
“We know that cyber is a new domain of vandalism, of crime, of espionage, and yes, even warfare. But I’m afraid the country is not very well equipped to deal with any of those challenges,” said Rep. Mac Thornberry, R.-Texas, chairman of the House Armed Services Committee’s newly named Subcommittee on Emerging Threats and Capabilities, in its first hearing of the year, on Friday.
Subcommittee members came out of winter hibernation swinging, and asking a question rarely heard on Capitol Hill: What role will DOD play in a computer attack on the nation?
“If a formation of planes or hostile-acting ships came barreling toward a factory or refinery in the U.S., we know pretty well what we expect the military to do,” said Thornberry. “But what do we expect — or should we expect — if a bunch of malicious, or potentially malicious, packets come barreling toward that same factory or facility in cyber space?”
There is still no clear agreement between Congress, the White House, Pentagon, CIA, Department of Homeland Security and other industry stakeholders regarding who should watch over what networks and respond in various cyberattack scenarios.
Two bills introduced last year aim to lay out explicit federal authorities. Meanwhile, the administration, asserting itself, assigned observers from DOD and DHS to sit in each other’s cybersecurity operations to act as good-faith monitors.
On Friday, the panel asked more specifically if anyone made progress in determining how the DOD should respond to attacks to the national civilian power grid that could cripple military bases, a top concern for authorities including Vice Adm. Barry McCullough, commander of the Navy’s 10th Fleet, who warned Congress in September.
“I have to say, I’m afraid many in industry and in government still fail to appreciate the urgency of this threat,” said ranking Democrat James Langevin, of Rhode Island. “Since I began working on this issue, I’ve been disappointed by the overall lack of serious response and commitment to this issue.”
Many bases have one source of power, Langevin said, with few backup systems, and so would be out of commission weeks or months if a grid attack were successful.
“I don’t think there’s any question but that [a power grid attack] is a real national security threat that we have to pay attention to,” said CIA Director Leon Panetta, one day earlier, under questioning from the House Permanent Select Committee on Intelligence.
But electric groups and the DOD are still in early discussions, prioritizing, for instance, the parts of the military that are most dependent on the civilian power grid, Gerry Cauley, chief executive officer of the North American Electric Reliability Corporation, told the panel. In short, the government has not adequately defined which agencies are in charge.
“I think it’s based on ad-hoc relationships, not clear lines of responsibility and authority,” Cauley said.
Some cautioned against protecting civil liberties and private information as the government determines rules for sharing information between the military and civilian agencies.
“Just as the military does not police our streets, it should not police our civilian cyber infrastructure,” said Rep. Hank Johnson, Georgia Democrat.