To better protect the nation's critical digital infrastructure, lawmakers must enact policies to address a shortage of trained cybersecurity professionals, a panel of experts warned at a joint House subcommittee hearing on Tuesday.
Stressing the urgency of the threats, witnesses from industry and academia told members of the Committee on Science, Space and Technology's research and technology subcommittees that cybersecurity, as a profession, is hobbled by scant funding for research and development and education.
"I do not have to tell you that we are under attack in cyberspace. Those of us in the field of security have known about it for some time now, but now the problem has broadened and deepened in scope," said Frederick Chang, president and COO of the data-analytics firm 21CT.
"The field of cybersecurity is too reactive and after the fact. We wait for something bad to happen, and then we respond. We lack the fundamental scientific understanding of causes, of solutions, of counter measures. Science uses words like 'evidence,' 'metrics,' 'repeatability,' 'predictability.' In cybersecurity, these words are not used often enough," Chang added. "Indeed, when it comes to predictability, about the only thing we can predict with a high degree of confidence is that a determined hacker will be able to compromise the target system."
Tuesday's hearing comes at the beginning of the new congressional session when lawmakers are once again working to build support for legislation to bolster defenses against digital attacks on critical infrastructure operated by the government and private sector.
Lawmakers and witnesses both expressed support for one such bill, the Cybersecurity Enhancement Act, which passed the House in 2010 but did not clear the Senate. The authors of that measure, Reps. Michael McCaul (R-Texas) and Dan Lipinski (D-Ill.), are trying again in the 113th Congress. That legislation includes provisions to establish cybersecurity grant programs, improve coordination among federal agencies and develop cybersecurity scholarships at the National Science Foundation.
Whether the Cybersecurity Enhancement Act progresses as a standalone bill or as part of a more comprehensive package, McCaul is hopeful that new cybersecurity standards, after years of debate, will become law in short order.
"I do believe this is the Congress when we will get cybersecurity legislation passed through the House, the Senate and signed by the White House," he said. "Whether it's criminal, whether it's espionage, whether it's cyberwarfare, we can't afford to wait any longer."
But in the absence of congressional action, President Obama earlier this month issued an executive order directing federal departments and agencies to develop a system for reporting cyberattacks, expanding coordination with the private sector and other measures.
That executive order, limited in scope by the bounds of presidential authority, was not designed as a substitute for cybersecurity legislation, which as a general matter enjoys strong bipartisan support.
"This challenge requires a thorough and comprehensive effort in both the public and private sectors," said Rep. Lamar Smith (R-Texas), the chairman of the full House science committee. "Private companies are increasing their investment in cybersecurity. Congress should support those efforts. Only Congress can provide the incentives and protections that would permit necessary information sharing among companies and more importantly between private companies and the federal government."
Of course, at a time of contracting agency budgets, finding new federal funding for cybersecurity research and development is a tall order. Cybersecurity writ has never been a significant line item in the federal budget, amounting to just a fraction of a percentage point of government spending.
But it might be time to make cybersecurity a bigger piece of the pie, Chang suggested, particularly given the increasing reliance on digital systems across virtually every sector of the economy.
"If you think about the priorities that the nation is now placing on cybersecurity, the fact that it's something less than 1 percent seems to be a small number. It's not for me to determine what the priorities are, but that just strikes me as sort of a low number," Chang said.
The debate over cybersecurity often gives air to dire warnings and dramatic rhetoric, with officials warning of an event like a "cyber Pearl Harbor" or "cyber 9-11". Michael Barrett, the chief information security officer at PayPal, pointed out that the true extent of hacking and other criminal activity is shrouded by a shortage of information about attacks, and called for the government to undertake new research aiming to illuminate the scale of the problem.
"What we have found from our years of combating cybercrime is that quantifying the full cost is difficult, if not impossible, because many incidents aren't reported," Barrett said. "Estimates of the magnitude and scope of cybercrime vary widely, making it difficult for policymakers and industry to fully understand the problem and the level of effort needed to combat it. We recommend that policymakers fund some research that helps fill some of the information gaps that currently exist as it relates to cybercrime. We believe that this research will be a critical tool in arming policymakers, law enforcement and industry against the growing threat of cybercrime."
Terry Benzel, deputy director for cyber networks and cybersecurity at the University of Southern California's Information Sciences Institute, urged a broader rethinking of the traditional approach to cybersecurity. Instead of a piecemeal focus on specific attacks and vulnerabilities, she suggested a more holistic view of the threat landscape that would ingrain security across the enterprise.
"All too often our research is narrowly focused on single topics. For example, we have many people conducting excellent research in distributed denial-of-service, worms, botnets and Internet routing, each studied individually and deeply," Benzel said.
"But believe me, our adversaries are not looking narrowly," she added. "In fact, they are looking at the combination of these different kinds of threats and vulnerabilities, as well as combining that with cyber-physical systems and social engineering. We can no longer afford to look narrowly at the hard problems."
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.