WASHINGTON — Senate Judiciary Crime and Terrorism Subcommittee chairman Sheldon Whitehouse (D-R.I.) and Steptoe & Johnson partner Stewart Baker agreed on at least one thing last week at a Capitol Hill hearing on cybercrime. In general, there are two types of networks: ones that have been hacked, and their managers know it, and ones that have been hacked, but their managers don’t know it.
That was one of the sobering moments in a hearing on how the Senate should proceed on cybersecurity protection legislation. The House last month passed the Cyber Intelligence Sharing and Protection Act (HR 3523), a bill that allows for government sharing of cyber-threat information with industry, and vice versa, subject to some restrictions — though not enough for privacy groups.
But the Senate is looking to craft its own bill, rather than take up the House version.
At the May 8 hearing, Whitehouse emphasized the need for cybersecurity standards to which companies can be held accountable. While conceding the industry has many good actors, Whitehouse said there are also those who, left to their own devices, won’t take steps to protect their networks.
Those networks are in need of protection, suggested Cheri McGuire, a vice president at security vendor Symantec.
Baker, former general counsel to the National Security Agency, warned that network insecurity could “easily cause the United States to lose its next serious military confrontation.”
But Baker was not done. “Our network security, in short, is toast,” he said in testimony. “We’ve been living in a dream world, thinking that if we could just fix all the security holes that hackers have been exploiting, then our networks would at last be secure. But if that dream were ever achievable, it looks hopeless today.”
Given that, he said, private companies should have more latitude to do their own investigations. “Private investigators and deputized citizens and repo men aren’t the same as vigilantes or a lynch mob. They are institutions that allow the victim of a crime to supplement law enforcement.”
Baker also cautioned against regulations that become out of date before they hit the page.
Whitehouse agreed there could be a danger that regulation would hold back cybersecurity efforts, and a price to be paid for that. But he also said there was the danger of the free riders, laggards and cheats who don’t adopt protection for economic reasons or under the impression the government will save their rear ends, and that would have costs as well.
He said he came down on the side of standards.
Cybercrime Facts and Figures
Some eye-opening stats and definitions:
42%: The increase in targeted cyber-attacks in 2012.
50%: The share of targeted attacks aimed at small businesses (with 2,500 employees or fewer).
93 million: The number of identities exposed through human error, hacking and theft in 2012.
‘Watering hole’ attacks: “Efforts by attackers to compromise legitimate websites so that every visitor to those websites runs the risk of infection.”
Ransomware: “A type of malicious soft ware that locks a user’s computer and displays a screen purporting to be from a law enforcement agency.”
SOURCE: Cheri McGuire, Symantec