Measured Response to a Limited Threat

The New York Times Room for Debate posed the question, "Should Industry Face More Cybersecurity Mandates?" 

Defense Secretary Leon E. Panetta has warned that the United States faces a possible “cyber-Pearl Harbor” attack by foreign computer hackers who could dismantle the nation’s power grid, transportation system, financial networks and government. But in August, Senate Republicans, siding with the U.S. Chamber of Commerce blocked legislation that would have required new standards at critical private-sector facilities, saying such rules would be too burdensome for businesses.

Is the threat of cyber attacks on crucial industries as serious as Secretary Panetta has said? If so, are businesses investing enough to protect themselves, or should they be required to do more?

Jerry Brito provided the following response

Secretary Panetta warned of a “cyber Pearl Harbor” that "could be as destructive as the terrorist attack on 9/11.”

That is a terrifying thought. The attacks on Pearl Harbor and on 9/11 each saw thousands die. Both attacks were accompanied with massive physical destruction. So what is the evidence that a computer attack can lead to such horror?

Secretary Panetta held up two recent incidents as cause for such grave concern. First, some American banks last month suffered what are known as “denial of service attacks.” But as The New York Times accurately explained at the time, “Such attacks, while a nuisance, are not technically sophisticated and do not affect a company’s computer network – or, in this case, funds or customer bank accounts.” Second was a more serious breach that wiped out the hard drives of 30,000 computers at Saudi Aramco. This attack seems to have been perpetrated with the help of an insider, was limited to office computers, and did not cause any physical damage, much less loss of life.

Infrastructure owners have an incentive to protect their investments. Federal regulation will only crowd out innovation.

The fact is that there is no evidence that anyone has ever died as a result of a cyber attack. And the evidence of cyber attacks causing physical destruction are limited to very subtle and targeted attacks, like the Stuxnet worm that affected Iran’s nuclear enrichment program, likely carried out by the United States.

Some would argue that despite the lack of evidence we need to “do something” anyway because the imagined threat is so terrible. As Condoleezza Rice would say, “We don’t want the smoking gun to be a mushroom cloud.” Fear, however, should not be a basis for policy making.

Is there a growing cybersecurity challenge we need to address? Absolutely, but infrastructure owners that have invested billions in their systems have an incentive to protect them. Prescriptive regulation from the federal government will only crowd out innovation and distort insurance and consumer markets.

Information sharing between the private sector and government agencies like the National Security Agency might a good idea, and privacy and surveillance laws may now be getting in the way. However, we should address this by carefully reforming those individual privacy laws, not by enacting legislation granting blanket immunity to corporations that share personal information with government.