Senate Judiciary Crime and Terrorism Subcommittee chair Sheldon Whitehouse (D-R.I.) and Steptoe & Johnson partner Stewart Baker were agreed on at least one thing at cybersecurity hearing Wednesday: there are two types of networks, ones who know they have been hacked and ones who don't.
That was one of the sobering moments in a hearing on how the Senate should proceed on cybersecurity protection legislation. The House last month passed a bill, HR 3523, the Cyber Intelligence Sharing and Protection Act, that allows for government sharing of cyberthreat information with industry, and vice versa, subject to some restrictions, though not enough for privacy groups.
At the Senate hearing Wednesday, the White House emphasized the need for cybersecurity standards that companies can be held accountable for. While he conceded that there were many good actors, he said there were also ones who left with their own devices and won't take the steps to protect their networks.
And those nets are in need of protection, suggested Cheri McGuire, VP of Symantec. She told the committee that there was a 42% increase in targeted attacks in 2012. And those attacks were paying off for criminals.
She said that approximately 93 million identities were revealed through hacking, theft or operator error. "That is 93 million people whose personal information is now potentially for sale on the black market - 93 million people who are at risk for credit card fraud, identity theft and other illegal schemes."
Baker, former general counsel to the National Security Agency, warned that network insecurity "easily cause the United States to lose its next serious military confrontation."
But Baker was not done. "Our network security, in short, is toast," he said in testimony. "We've been living in a dream world, thinking that if we could just fix all the security holes that hackers have been exploiting, then our networks would at last be secure. But if that dream were ever achievable, it looks hopeless today. The resources that hackers are putting into finding holes are growing steadily, as the modest risks and great rewards of exploiting networks continues to attract everyone from nation states to organized crime."
Given that, he said, private companies should have more latitude to do their own investigations. "Private investigators and deputized citizens and repo men aren't the same as vigilantes or a lynch mob," he said. "They are institutions that allow the victim of a crime to supplement law enforcement."
He also cautioned against regulations that become out of date before they hit the page.
Whitehouse agreed there could be a danger of regulation holding back cybersecurity efforts, and a price to be paid for that. But he also said there was the danger of the free riders, laggards and cheats who don't adopt protection for economic reasons or under the impression the government will save their read ends, and that there was a cost to that as well.
He said he came down on the side of standards.