WASHINGTON — In 2011, companies and public agencies that provide services critical to the modern American economy — things like water, energy, banking and communications — reported nearly five times as many attacks on their infrastructure as the year before.
Because the assailants’ weapons were computers and malicious software, not bombs or guns, the vast majority of those 200 intrusions attracted little attention outside the U.S. Department of Homeland Security and the targets themselves.
But as the number of cyber attacks rises along with their level of sophistication, members of Congress and federal officials are pushing hard to strengthen the nation’s defenses against computer-borne attacks that could cause economic mayhem.
“It is not a matter of whether a cyber attack will occur. The only question is when it will occur,” Sen. Susan Collins, R-Maine, said earlier this week during a Washington press conference.
Collins, who is a member of the Homeland Security Committee, is among the lead sponsors of a bill expected to come up for a vote in the Senate on Monday after years of discussion and months of negotiations with industry, civil libertarians and military officials.
The current version of the bill is admittedly weaker than its sponsors had hoped, placing an emphasis on information sharing between the private sector and government rather than government mandates.
Even so, the bill’s success is not assured. Amendments on the Senate floor — such as one to ban high-capacity ammunition magazines in response to the movie theater shooting in Colorado — could weaken the bipartisan support needed to reach 60 votes. And aspects of the measure will likely face opposition in the more conservative House.
But supporters argue it will take an important step forward in protecting the country against debilitating cyber attacks on the computer systems that keep the electric grid functioning, phones working and money flowing in the age of e-commerce.
“The danger of cyber attacks against the United States is clear, present and growing, with enemies ranging from rival nations to cyber-terrorists to organized criminal organizations to rogue hackers sitting at computers almost anywhere around the world,” said Sen. Joseph Lieberman, I-Conn, chairman of the Senate Homeland Security Committee and a bill co-sponsor.
Rather than impose mandatory, government-written security standards on companies that operate the nation’s “critical infrastructure,” the bill asks companies for voluntary compliance. That compromise was viewed as key to winning over conservatives and business groups concerned about over-regulation, although some groups remain opposed.
Negotiators also agreed to strict language saying the military and police may use information on Internet activity for cybersecurity purposes only, not for other law enforcement purposes. And companies that report information will do so directly to civilian agencies, not the military or the National Security Agency.
Those changes, as well as others, were intended to address concerns among privacy advocates that the original bill could have made it easier for the military to expand its monitoring of domestic Internet activity.
“It’s pretty much a firewall that we have always maintained and this would have been a major departure,” said Michelle Richardson, a legislative council and lobbyist at the American Civil Liberties Union.
Because the bill is primarily focused on protecting the national infrastructure rather than individuals, it is unlikely to have much of a direct impact on the average consumer. But those consumers would be greatly impacted if a cyber attack brought down, say, the utility grid, said George Markowsky, professor and chairman of the University of Maine’s Computer Science program.
Markowsky, who teaches cybersecurity and runs the cybersecurity lab at UMaine, said the nation’s critical infrastructure network is very vulnerable. And given the fact that the bill’s sponsors backed off the mandatory requirements, Markowsky said he is unsure how effective it will be at strengthening those protections.
“But I think that is always a good first step,” Markowsky said. “Whether it passes now or at some point in the future, there is no doubt we are going to have to do a lot more to protect our critical infrastructure.”
The bill’s passage means that Maine utilities would be encouraged — although not required to upgrade their cybersecurity systems as well as share information about perceived cyber threats with other companies and the government.
Susan Faloon, spokeswoman for Bangor Hydro, said the company already monitors threats and goes beyond any federal regulations. Faloon said she was not aware of any recent cyber attacks on the utility, however.
Representatives for Central Maine Power did not return calls seeking comment on the issue.
Send questions/comments to the editors.