It took an attack by a nation-state on Hollywood to bring the threat of cyberattacks to the forefront of the Americans’ consciousness, but we have been fighting this war for decades.
Most Americans think of cyberattacks as just threats to their identity and financial information, such as the recent high profile data breaches on Target, Home Depot and JPMorgan Chase. As the Sony attack has proven, though, we have now reached a new era of cyberterrorism where threats cause just as much damage and fear as a bomb threat.
While the economic damage of this hack is disconcerting, the real significance lies in the fact that, according to the FBI, this marks the first major destructive cyberattack waged against a company on U.S. soil.
This attack aimed to destroy the company’s computer network — not just steal information — much like the 2012 Iranian-backed attack on Saudi Arabia’s national oil company, Aramco, which damaged 30,000 computers. A similar attack on our critical infrastructure might collapse our power grid, wreak havoc on airlines or trains, and taint our water supply — any of which could lead to the loss of lives.
The situation escalated when the hackers threatened 9/11-style terrorist attacks on movie theaters that planned to screen Sony’s comedy about North Korea, “The Interview.”
The FBI and Homeland Security have recently confirmed the attack originated from North Korea. Because there are little to no consequences for conducting cyberattacks, criminals and nation-states are becoming bolder in their threats and behavior. Russia, China, North Korea and Iran are increasingly hacking into U.S. companies and government networks for espionage purposes or financial gain. Gen. Keith Alexander, former director of the National Security Agency, described this loss of intellectual property as “the greatest transfer of wealth in history.”
We have no effective strategy in place to stop it.
Over the past two years, I have worked to enact legislation to address the challenges that threaten our nation’s critical digital networks. Last Congress, I shepherded five cyber bills through Congress that were enacted into law, which lay out the rules of the road on how cyber information will be shared between government and the private sector. They establish a federal civilian interface at the Department of Homeland Security to facilitate cybersecurity across the 16 critical infrastructure sectors and the private sector, bolster Homeland Security’s cyber workforce, improve the department’s ability to secure federal networks, and expand cybersecurity research and development efforts.
While these pieces of cybersecurity legislation are a huge step forward in protecting our nation and critical infrastructure from cyberthreats, there is still much more work to be done. The assistant director of the FBI’s cyber division, Joseph Demarest, told Congress the sophisticated malware used in the Sony hack “would have slipped and gotten past 90 percent of the net defenses that are out there today in private industry and been a challenge to state governments.” It is going to take greater collaboration between the federal government and the private sector to tackle this growing 21st century threat.
In order to have greater visibility of the larger cyberthreat landscape, we must remove the government bureaucratic stovepipes that inhibit our abilities to effectively defend America, while ensuring citizens’ privacy and civil liberties are also protected. The private sector must be able to share cyberthreat information with DHS’ civilian interface, the National Cybersecurity and Communications Integration Center (NCCIC). To do this, we must remove legal barriers preventing private entities from sharing information with the government, and increase voluntary sharing of cyberthreat information with the center and across all critical infrastructure sectors.
Furthermore, Congress must do more to incentivize private entities to invest in greater cybersecurity practices and procedures. One such incentive would be to clarify that companies could have their cyberdefenses certified as sufficient under the Safety Act, which would provide important legal liability protections in the case of a large-scale cyberattack.
Lastly, good work is currently being done to develop voluntary best practices and procedures to reduce risks to critical U.S. infrastructure. We must ensure this public-private collaboration continues as we push to ensure the cybersecurity of our vital networks.
Former Defense Secretary Leon Panetta said it would take a “cyber Pearl Harbor” to wake the nation up to the seriousness of the cyberthreat. It may have taken an attack on Hollywood to showcase our vulnerabilities and that cyberterrorism is real. The attack on Sony should serve as a warning siren.
To prevent a crippling attack on our nation’s critical networks, U.S companies and the federal government must work together to combat those who wish to do us harm. As the chairman of the Committee on Homeland Security, I will lead a renewed effort this year with my partners in the House and Senate to build on the progress my committee made last Congress by removing the legal barriers for the private sector to share cyberthreat information. Only then will we be able to best prevent, detect and response to the growing cyberthreats today.
• Michael McCaul, Texas Republican, is chairman of the House Committee on Homeland Security.