WASHINGTON — If businesses don’t put in place stronger cybersecurity defenses, Congress might do it for them.
That’s the warning from Rep. Gerry Connolly (D-Va.), a prominent voice in Congress on IT issues, who cautions if the firms that oversee critical infrastructure such as the electric grid are hit with a catastrophic cyberattack, lawmakers could be compelled to impose new regulations that could rankle the industry.
“I will tell you this: In the event of a cyber Pearl Harbor, the public will demand that Congress regulate, and standards will be imposed and there’ll be no getting around that,” Connolly said in remarks at a recent meeting of the Cloud Computing Advisory Caucus, which he co-chairs. “And if we want to avoid that, we’ve got to try to encourage [the] private sector to set very high standards that they voluntarily agree to try to meet.”
Connolly’s warning is not directed only at industry, however.
[ Related: Congress probes Internet of Things privacy, security ]
Better cybersecurity standards needed in all sectors
Government agencies, too, must make strides to shore up their IT defenses, an issue that was put into sharp relief by the recently disclosed breach of the Office of Personnel Management (OPM), which compromised the personal information of millions of current and former government employees — including Connolly, who says that on three occasions criminals have attempted to open fraudulent accounts in his name.
“There is some progress, but the OPM breach really exposed us for the vulnerabilities we have,” Connolly says of that attack. “It is not surprising that somebody who saw the vulnerability and exploited it, and so 22-plus million folks who served in the federal government, applied for federal jobs, had a security clearance, left federal service and returned have had their personal information hacked.”
Connolly laments that too many government systems — including OPM’s — fall into the realm of legacy IT, which not only carries considerable maintenance costs, but is also more difficult to secure against a stream of ever-evolving threats.
It is often difficult to determine the culprit in a cyber incident, but in the case of the OPM breach, Connolly points to the Chinese People’s Liberation Army as the likely agent, saying that state-sponsored attacks are now “elevated to a major foreign policy concern.”
Connolly notes Chinese President Xi Jinping’s recent visit to Washington, which produced a bilateral economic framework that included certain cybersecurity commitments, including the pledge not to support the theft of intellectual property or trade secrets.
[ Related: NSA chief warns cyberthreats persist despite China accord ]
Like many in Congress, however, Connolly takes a somewhat skeptical view of the potential impact of that accord.
“We’ll see if it takes,” he says. “But I can only tell you from a foreign policy perspective this is going to become more and more central in our relations with a number of other [nations] — North Korea, Iran, Russia and, of course, China.”
Domestically, he sees more room for cooperation between the government and the business community, observing that both sectors are coming under the same types of attacks from common adversaries, and could each benefit by sharing information about emerging threats.
[ Related: Tech startups need to get serious about security ]
But beyond information sharing — an area where there is broad agreement that both the public and private sectors could do a better job — Connolly knocks both government and industry for failing to develop a strong, broadly adopted cybersecurity framework.
“The multiplicity of standards, the lack of uniformity of standards both within the federal government and, frankly, in the private sector is of great concern,” he says.
Though he cautions that a disastrous attack — the sort takes down major swaths of critical infrastructure — could prompt lawmakers to take action on cybersecurity legislation, Connolly acknowledges that movement on the issue on Capitol Hill has been slow.
“What’s really interesting in Congress is, candidly, we really haven’t done much,” he says.