Business executives and national security leaders are of one mind over the need to improve the security of the computers that control the U.S. power grid, the financial system, water treatment facilities and other elements of critical U.S. infrastructure. But they divide over the question of who bears responsibility for that effort.
The disagreement stands as an obstacle to passage of major cybersecurity legislation backed by Sens. Joe Lieberman of Connecticut and Susan Collins of Maine, among others.
Many intelligence and security officials who worked under President George W. Bush, as well as those serving under President Obama, are backing stricter government regulation of cybersecurity, a key part of the Lieberman-Collins legislation. Business leaders, however, generally oppose those provisions.
"The major concern is the vast regulatory structure that would be set up at the Department of Homeland Security," says Larry Clinton, president of the Internet Security Alliance, an association of major U.S. companies with interests in the cybersecurity debate.
It's a concern not shared by Stewart Baker, a top cybersecurity official in the Bush administration who says he generally holds pro-business and anti-regulation views. "I see a big conflict between the desire to avoid regulation and the desire to protect national security," Baker says. "I come down on the national security side of that debate."
A War Without An Army
The cybersecurity debate is complicated by one central fact: The most critical elements of the U.S. infrastructure, from the electric grid to the telecommunications system, are generally in private hands. If a U.S. adversary attacked the computer networks that control those systems, the companies that own them would have to take care of the networks themselves. There is no national cyber army to defend them.
Government officials say the situation leaves the U.S. infrastructure vulnerable in the event of an all-out cyberwar.
At a recent cybersecurity conference organized by Bloomberg, for example, Frank Montoya, the top U.S. counterintelligence official, reminded the business people in his audience how much has changed since World War II, when the U.S. military did the fighting and private industry played only a support role.
"Let's fast forward to the 21st century," Montoya said. "We're an information-based society now. Information is everything. That makes you, as company executives, the front line — not the support mechanism, the front line — in [determining] what comes."
Cybersecurity Not In Business Model
The question raised by some security experts is whether private industry is up to the challenge. Recent research sponsored by EMC, a leading information technology firm, suggested that cyberthreats are not getting adequate attention from corporate boards and senior executives. A study by Bloomberg Government concluded that utilities, banks and other infrastructure operators may need to increase their cybersecurity spending as much as nine times to reach satisfactory levels.
Such findings have convinced many in the national security establishment that the government may need to require companies to improve their cybersecurity. The backers of tougher cybersecurity regulation include Michael McConnell, a former head of the National Security Agency and director of national intelligence under George W. Bush, as well as Michael Chertoff, President Bush's secretary of Homeland Security.
"When you've had responsibility and had to live with the possibility that tomorrow you'll wake up and on your watch something very bad has happened, you have a different view about the importance of being able to do something about it," says Stewart Baker, who was general counsel at the National Security Agency prior to serving during the Bush administration as the first assistant secretary for policy at the Department of Homeland Security.
On the other hand, national security leaders don't necessarily have much experience running a private business.
"The legally mandated role of the government is to provide for the common defense, and they're willing to spend pretty much whatever it takes to do that," says Larry Clinton of the Internet Security Alliance. "If you're in a private organization, your legally mandated responsibility is to maximize shareholder value. You can't spend just anything on the cyberthreat. You have an entirely different calculus that you have to put into effect."
Clinton agrees that companies do need to spend more on cyberdefense than they're spending now, with more resources going to new technologies, monitoring and security consultants.
Simply requiring companies to spend that money without regard for whether they can afford it, however, doesn't make sense, Clinton argues.
"Whether we like it or not, we are going to have to figure out a way to get private companies to make, on a sustainable basis, investments that are not justified by their business plans," Clinton says. "Simply telling them, 'You have to ignore your business plan,' is not a sustainable model. We have to find a way to make it economic."
A Time For Sacrifice?
Some national security leaders argue, in turn, that there have been times in U.S. history when the country has to make security investments whether they make business sense or not. The need to prepare for a massive cyberattack, they say, is such an occasion.
Larry Clinton's response: Then the government should pick up the check.
"If the government was interested in paying the private sector to do all these things, probably we would go a long way toward doing it," he says. "But the government so far, [with] the Lieberman-Collins bill, wants it all done for free. They want the businesses to simply plow that into their profit and loss statement, and the numbers are staggering. You simply can't do it."