Five months ago, Connecticut suffered through an unnerving week when a record-breaking autumn snowstorm dumped as much as two feet of wet snow on parts of the state, felling trees and power lines, cutting off electricity to 880,000 customers — more than half the state's population — and causing eight deaths. Homes were unlivable. Telecommunications were disrupted. Roads were blocked. Trains were inoperable. The state was paralyzed for days.
Now, instead of nature, imagine if a foreign nation attacked the cyber networks that run Connecticut Light and Power or the Millstone Nuclear Plant, or both. With one computer key stroke, perhaps from the other side of the world, Connecticut or the region could be plunged into chaos. If radiation leaked from Millstone, hundreds could die, thousands could become ill and large segments of the population could be displaced. If CL&P lost its capacity to function, communications and travel would be disrupted and economic activity would come to a halt. On top of that, the attack could presage or be part of a wider attack on our nation, jeopardizing national security.
That type of catastrophic cyber attack is among the top concerns of homeland and national defense leaders. And, unlike extreme weather, it is preventable. The cyber networks of the nation's critical infrastructure — our electric grid, water delivery systems, transportation, finance and communications networks — are now sitting ducks for attack by criminals, foreign powers, pranksters and terrorists . Physical security — such as fences and surveillance cameras — is already required at for critical services, such as nuclear plants, airports and utilities. In the digital age, why shouldn't we also close the gaps in our cybersecurity?
The system is already blinking red in warning. FBI Director Robert Mueller recently predicted that, in the near future, cyber attack will surpass terrorism as the country's greatest threat. George W. Bush Administration Homeland Security Secretary Michael Chertoff said cyber threats are "one of the most seriously disruptive challenges to our national security since the onset of the nuclear age." The chairs of the9/11 Commission Tom Kean and Lee Hamilton asked Congress to pass comprehensive legislation quickly to prevent "catastrophic cyber attacks on the nation's critical infrastructure."
The Department of Homeland Security counted close to 50,000 reports of cyber intrusions or attempted intrusions since October 2011 — an increase of 10,000 over the same period last year. Homeland Security also tells us that between October and February of this year, there were 86 attacks on systems that control critical infrastructure, factories and databases. Eleven incidents were reported in the same period last year.
Owners of critical infrastructure decide whether or not to secure their systems. Many have done so. But the cyber networks of too many others are not only vulnerable but have been infiltrated or attacked. With our economic and national security at risk, the government has an obligation to step in.
Sens. Susan Collins, R-Maine, Jay Rockefeller, D-W.Va., Dianne Feinstein, D-Calif., and I are advocating bipartisan legislation that would require critical cyber networks to be secure. We propose that the owners of critical cyber systems partner with the Department of Homeland Security to determine which systems are most at risk and establish security standards that must be met.
Industry would be free to decide how to meet those standards. If a sector is already well secured, it would not be required to take further action. Standards likely would mirror what the most secure companies are doing: making sure their industrial control systems are not connected to the Internet; inventorying their networks and assets; and adding technology to detect unauthorized intrusions.
Some critics describe our legislation as "job-killing" regulation. This is election-year nonsense. Anyone who has read our legislation knows we worked closely with the private sector and adopted many of its suggestions. As a result, technology firms such as Oracle and Cisco Systems, defense companies like United Technologies Corp. and Northrop Grumman, energy company Pepco, security firms such as EMC and Symantec, and associations like Tech America have praised the bill.
Our legislation would save American jobs, help businesses prosper and protect the ingenuity that built this great nation from cyber theft. Let's not repeat the failure to act to prevent an attack, as we did before 9/11. This time, let's act before the attack comes.