Analysts work in the Security Operations Center at the Dell SecureWorks… (Stephen Morton / Bloomberg )
In what has become a depressingly familiar ritual, computer security experts revealed this week that hackers with apparent ties to a foreign government — in this case, the Chinese military — had "systematically stolen hundreds of terabytes of data from at least 141 organizations" since 2006.
But while such high-level international cyber intruders grab headlines, most successful online attacks are not all that sophisticated. Despite their Hollywood-enhanced image as inventive uber-geeks, most hackers don't actually have to work very hard to steal data or disrupt websites. According to a new paper by James A. Lewis of the Center for Strategic and International Studies, the vast majority of successful hacks could have been stopped by relatively simple precautions, such as regularly updating software. Yet many companies don't bother to take even the most obvious steps to guard against data theft and service disruptions, let alone equip themselves to stop high-level attacks.
The challenge for policymakers is how to solve that problem while beefing up the public's defenses against increasingly sophisticated cyber attacks. A promising Senate bill was stymied last year by business groups afraid that it would lead to burdensome federal regulations, leading President Obama to issue an executive order this month that addresses some aspects of the threat. Obama went further Wednesday, announcing new diplomatic and trade initiatives aimed at deterring cyber thieves. But Congress needs to do more.
The House has taken the path of least resistance, passing a business-friendly bill last year that would remove the legal barriers that stop companies and the government from sharing data about hacks. An alternative sponsored by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine) also sought to establish voluntary, industry-defined performance standards for cyber security, but it died in the face of specious industry warnings about the standards becoming mandatory and government-dictated.
Obama's executive order requires federal agencies to reveal more information to companies about the cyber threats they detect. It also calls for the National Institute of Standards and Technology to develop a voluntary "framework of cyber-security practices" within a year, built around the performance standards chosen by private industry. Notably, the framework wouldn't specify which technologies companies should use to meet the standards, allowing the market and private innovation to meet new challenges posed by hackers.
The order is sensible and welcome, but it wouldn't enable companies to send more of the information they gleaned from their networks about hackers to other companies or the government. As helpful as that might be, Congress would first have to lift federal limits on data sharing and provide new privacy protections. Nor would the order prod companies to embrace the new cyber-security framework by giving them more protection against liability in the case of a hack. Only Congress can do that.
The most powerful feature of the executive order is a requirement that federal regulators of banks, power plants and other providers of critical infrastructure use the new framework to evaluate and, potentially, improve any existing cyber-security rules. Still, those companies operate only a fraction of the computers being targeted by hackers. More companies need to step up their security efforts, and it's up to Congress to provide the motivation that the market clearly has not.