Debating measures for US cyber-security.

"The original approach was to create a "kill switch" empowering regulators to turn off access to the Web. New legislation would instead break down silos between U.S. companies and intelligence agencies so that cyber attacks can be tracked and reported, raising prospects for identifying cyber spies."

From today's WSJ, FYI,
David
FEBRUARY 27, 2012
Cybersecurity 2.0
Encouraging companies and intelligence agencies to share information freely is a good first step.
By L. GORDON CROVITZ
Columnist's name

Give Washington some credit: It looks as if politicians have learned it's not a good idea to destroy the Internet in order to save it. Congress and the White House have considered dozens of bills over the past few years to address cybersecurity, chiefly how countries such as China and Russia are using the Web to access confidential information from companies and U.S. agencies.
The original approach was to create a "kill switch" empowering regulators to turn off access to the Web. New legislation would instead break down silos between U.S. companies and intelligence agencies so that cyber attacks can be tracked and reported, raising prospects for identifying cyber spies.
The U.S. is experiencing mind-boggling violations of cyber security. Consider this sample of violations traced to China alone discovered over the past year:
For a decade, hackers accessed the corporate computer network of Nortel, whose digital switches power much of the Web; defense contractor Lockheed Martin suffered a break-in when the SecureID system that provides encrypted authentication was breached; the U.S. Chamber of Commerce had all its systems accessed (one tipoff of a problem was when a printer in its office mysteriously printed pages with Chinese characters); five large oil companies lost information about their operations, including bidding strategies; and hackers accessed details of the Pentagon's costliest weapons program—the $300 billion Joint Strike Fighter project—including aircraft design and electronics.
FBI Director Robert Mueller last month told a Senate committee that cyber espionage against infrastructure such as power plants will someday surpass terrorism as the "No. 1 threat to the country." This may be hyperbole, but the violations we know about are the tip of the iceberg. It takes a high level of sophistication to discover breaches of computer systems, which makes it likely that many remain undiscovered. Also, many companies choose not to disclose violations for fear of being sued. For example, news that some 30 high-tech companies had been hacked, including Yahoo, Adobe and Northrop Grumman, came to light a few years ago only when Google disclosed that the Gmail accounts for Chinese human-rights activists had been compromised.
crovitz0227
Getty Images/Stock Illustration Source
Gen. Keith Alexander, director of the National Security Agency, told an FBI conference last month that the known attacks are the exception. When big companies are hacked, "people ask, 'What's wrong with these guys?'" Gen. Alexander said. "Actually, they're the gold standard for securing cyber. They're the ones that know they've been hacked."
Two bills in the Senate try to address the problem. Both reject earlier ideas such as giving federal authorities the ability to turn off parts of the Web or licensing cybersecurity workers in industries such as the electricity grid, chemical plants and financial-services computer networks.
The Cybersecurity Act of 2012, introduced by Sen. Joe Lieberman, ran into trouble by trying to set new rules on how companies would monitor cyber security. A regulatory approach is flawed because types of cyber attack change faster than regulations can anticipate them. Sen. John McCain's measure, which will be introduced soon, makes it easier for companies and intelligence agencies to share information about cyber attacks, ending a situation akin to the government pre-9/11, when intelligence was restricted to silos instead of being shared.
Both bills include provisions to encourage disclosure of cyber attacks by limiting companies' legal liability for monitoring their systems and disclosing information about unauthorized access. Companies would participate in newly created "cybersecurity exchanges" where information would be shared without creating legal risk. The intelligence community would use these exchanges to share classified tips about security breaches.
The debate on cybersecurity has echoes from the recent battle over the Stop Online Piracy Act, because earlier approaches similarly threatened the mechanics of the Web. The cybersecurity bills now in Congress avoid the overreaching of SOPA, which was withdrawn when it became clear that the government cure of regulation of the Web was worse than the disease.
The U.S. and its allies are also engaged in cyber warfare—the Stuxnet virus apparently developed by the U.S. and Israel slowed down Iran's nuclear program—but the open nature of the Web makes this a high-stakes game. Today's world is different from the pre-Internet era when industrial espionage featured spies from France visiting U.S. silicon chip factories wearing shoes with special adhesives to help them pilfer samples.
The Web has transformed many areas of life, now including a new cyber cold war. America's enemies need to be discovered and deterred. Making it possible for companies and intelligence agencies to share information more freely is a good first step, increasing transparency as a way of using the strength of the open Web as a tool in its own defense.