The long political fight over the security of the nation’s computer networks is expected to re-ignite next year — with the safety and convenience of virtually every American on the table.
At stake is the nation’s cyberspace, increasingly at risk from playful hackers, thieves, fraudsters, foreign spies and terrorists. Experts insist everything from online gift-buying to transportation systems to the electricity in your home is endangered.
They paint frightening pictures of derailed trains and toxic clouds, closed airports and hospitals, even compromised nuclear power plants fouled by secret attacks on computer networks.
“It’s not hyperbole,” said Ken Silva, senior vice president for cybersecurity at ManTech International, a technology and national security firm. “Cybersecurity needs to be a national priority.”
The time is past, analysts say, for thinking of the dangers as so much science fiction.
“It’s not if it’s going to happen,” said Jeff Lanza, a former FBI spokesman who now lectures on cybersecurity. “It’s when.”
But an unlikely coalition of businesses and civil libertarians has pushed back, arguing potential government-ordered fixes would complicate computer use, stifle innovation, and cost consumers millions.
“The U.S. needs responsive, nimble cybersecurity defenses and policies that will not come from more regulations or government-set standards,” Paul Rosenzweig of the conservative Heritage Foundation wrote in mid-November.
The two arguments collided this month in the Senate — and opponents of the government solution won. For the time being. The Senate finally killed a cyber safety measure, leaving it to the new Congress to revisit the issue next year.
“Our cyber enemies are at the gates,” Connecticut Sen. Joseph Lieberman pleaded before the Nov. 14 vote. “In fact, they have already broken through the gates.”
The statement failed to convince enough of his colleagues. Sen. Roy Blunt, a Missouri Republican, voted against the cybersecurity measure, as did fellow Republicans Kansas Sens. Pat Roberts and Jerry Moran. Democrat Sen. Claire McCaskill voted for it.
Lawmakers said they’ll take another stab at the issue in January.
“This is an issue of national security,” McCaskill said in an email. “We’ve got to tackle these challenges in a commonsense and responsible manner.”
Yet finding cybersecurity agreement in the new Congress won’t be easy.
Possible improvements to securing the computer network are obscure, but some themes have emerged.
Accessing accounts or Web pages could become more difficult as networks impose new screening and verification mechanisms. Using your computer for banking, investing or buying merchandise could become more expensive as companies pass growing cybersecurity expenses on to consumers. Schools might be required to teach cyber safety, while portable phones and tablets might become less intuitive to use.
Computer innovations could slow. Social network participation could dip. Older software might cease to work. Private information might become more available to authorities.
The Senate plan, more than a year in the making, wouldn’t have required any of this. Or precluded it.
Instead, it would have established a National Cybersecurity Council, empowered to assess computer-network-related safety risks and establish semi-voluntary programs and standards for private and public cyber networks. It might have recommended costly system improvements — or easy, cheap fixes that most consumers might never have noticed.
The bill died in part because of the ongoing political stalemate and general mistrust among Republicans and Democrats in Washington.
It also failed because libertarian computer users and businesses convinced lawmakers the measure would give the government enforcement and regulatory tools that could cost billions of dollars without actually improving cyber safety.
“An ineffective program would tie businesses in red tape but would do little to deter bad actors,” the U.S. Chamber of Commerce said in a letter to Congress in November. “Businesses do not have unlimited capital and human talent to devote to regulatory regimes that are ... out of date as soon as they are written.”
At the same time the Electronic Frontier Foundation, which lobbies for Internet privacy rights, said the bill was “overly vague” and may have threatened individual Web users.
“We don’t need to water down existing privacy law to address the challenges of cybersecurity,” said EFF attorney Lee Tien in a statement after the vote.
Supporters inserted some privacy protections into the measure this summer, but not enough to save it. Finding a balance among cost-effective, reliable security measures, corporate needs, and privacy rights is difficult, Blunt said.
“How to draw those lines becomes very important,” he said recently.
Cybersecurity compromise is also difficult because of the free-wheeling nature of the Internet, where full agreement on standardizing technical issues is often hard to achieve — and subject to the relentless pace of industry improvements.
The threats vary with targets, experts said, further complicating the search for a universal solution. Some computer-based activities — emails or cat pictures, for example — may be easier to protect than complicated electric grid networks or millions of bank accounts.
For those reasons, and others, grassroots support for cybersecurity legislation next year appears unlikely.
Many Americans, remembering the Y2K threat in 1999, have become jaded to perceived dangers of the interconnected Internet world, complicating the political calculations in Washington.
“Sadly, for everyone to unilaterally agree,” Silva said, “it’s going to take something catastrophic.”