By T.J. Mayes
In 2010, we entered a brave new world of warfare.
The Iranian government discovered a computer worm was attacking its nuclear enrichment facilities, and two years later it was clear that the so-called Stuxnet virus had been developed by the United States and Israel. President Barack Obama later penned an op-ed in the Wall Street Journal calling cybersecurity a “priority.”
The U.S. infrastructure has become totally dependent on computer networks. Our banks, utilities, corporations, hospitals and oil refineries all depend on a stable grid. It makes our lives incredibly efficient and convenient, but has created an unprecedented vulnerability that is incredibly difficult to mitigate.
The Cybersecurity Act of 2012 failed to pass through Congress because of a Republican-led, and Chamber of Commerce-backed, Senate filibuster. Even before the filibuster, congressional leaders had urged President Obama to issue an executive order on the matter.
Governing by executive order is troublesome from a philosophical standpoint, but there are practical problems as well. The White House remains divided on the issue, and Sen. Susan Collins (R-Maine) opposes an executive order for apolitical reasons:
I understand the administration’s desire to act, but an executive order should not be a substitute for legislative action. … An executive order could send the unintended signal that congressional action is not urgently needed.
The primary provision of any legislative or executive action on cybersecurity would be the creation of a cross-agency federal government effort that would, in collaboration with private industry, establish voluntary best practices for the protection of critical infrastructure. This may sound reasonable enough, but the Chamber of Commerce is concerned that voluntary standards will inevitably evolve into a complex regulatory scheme.
Information sharing between industry and government would also be necessary to ensure cyber reliability. This also raises concerns. In order for the government to properly protect the infrastructure, officials need to know what’s happening. On the other hand, industry leaders are concerned that sharing information with the government might expose companies to liability or infringe on the privacy rights on their consumers.
Needless to say, the policy framework is complicated and contentious. But it would be negligent for Congress to wait for disaster to strike before taking proactive steps.