STEVE INSKEEP, HOST:
American companies may soon face new pressure to guard themselves against cyber attacks. The Senate will soon consider cybersecurity legislation. Lawmakers are asking how to protect our power plants, our water supply, the transportation grid, and other facilities on which our lives depend. It turns out that computer criminals could conceivably hack into those systems and shut them down with disastrous consequences. But the question is whether the owners of those facilities should be required by law to improve their defenses.
NPR's Tom Gjelten is here with us this morning to talk about this. Hi, Tom.
TOM GJELTEN, BYLINE: Good morning, Steve.
INSKEEP: OK. So, what would it be like if hackers were to shut down one of those systems I just described, like the power grid?
GJELTEN: Think Hurricane Katrina. That's a good analogy. No electricity, no communication, no safe water, no transportation. And like a hurricane, you're hit without warning, no time to prepare. It would be a disaster.
INSKEEP: And you don't realize how much you need these things until you would lose them. But what's the scenario under which somebody would actually do that?
GJELTEN: Well, it could happen during an all-out cyber war. Or it could be an act of cyber terrorism. Now, right now a cyber war is hard to imagine. I talked about this with Bill Lynn, who until recently was the number two at the Pentagon. He's one of the people who has thought the most about these issues. He says a cyber war attack on the U.S. right now is no more likely than a missile attack, because any country that would do something like that knows it would be hit right back. The greater danger, he says, would come from terrorist groups, they're harder to deter.
BILL LYNN: If terrorist groups were able to acquire these destructive cyber capabilities, I think we should fear greatly that they would use them, because there's nothing to hold them back.
GJELTEN: Now in Lynn's view, there are terrorist groups that would love to carry out an attack like this right now, but he doesn't think they have the capability to do it yet.
LYNN: So we have an opportunity, we have a window of opportunity, to improve our defenses. We don't know exactly how long that window of opportunity is, but I think we should feel a strong need to improve our defenses before that happens.
GJELTEN: And that's the situation. And, Steve, defenses have to be improved, because the companies that operate power plants and water systems right now are not that well prepared to cope with a cyber attack.
INSKEEP: Why would they not be more than a decade after 9/11?
GJELTEN: Well, Steve, remember that computer hackers generally work through the Internet - not always, but generally. As long as the equipment operating these facilities was isolated from the Internet, they were somewhat protected from hackers. But as these systems have been modernized, inevitably there are points where they have some online link. And each of those points is a doorway through which cyber attackers can sneak into the system.
Sean McGurk used to go out and do what he calls vulnerability assessments of these facilities for the Department of Homeland Security. Over and over, he says, the operators told him their plants were not connected to the Internet.
SEAN MCGURK: And as I testified before Congress, in no case had that ever been true. In hundreds of vulnerability assessments, we've always found connections between the equipment on the manufacturing floor and the outside world.
INSKEEP: Former Homeland Security expert there who spoke with NPR's Tom Gjelten, who is in our studios. And, Tom, what he's telling you there is that even the companies themselves do not realize how vulnerable they are.
GJELTEN: Right. And, Steve, remember about 90 percent of these institutions are privately owned. They're outside the government's direct control. And if the owners don't think they're vulnerable to cyber attack, they're less likely to spend the money to bolster their cyber defenses. That's why some folks say legislation is needed, basically, to require them to do certain things.
INSKEEP: To require them to spend the money, because they don't think in their assessment that the risk is worth the cost.
GJELTEN: Let me give you an example. This is the CEO of a power company in Georgia who was interviewed about cybersecurity concerns. Let me read you what he said. These are his words.
(Reading) There's been an awful lot written about cybersecurity and the threat of it. There are a lot of people who want to spend a huge amount of money on something that we have not necessarily identified. Show me an event, he says, where we've lost systems due to cyber terrorism. I'm not aware of one.
Now that's just one CEO. But he illustrates this reluctance to adopt expensive new cybersecurity measures. And it's because of attitudes like that that there's a move in Congress now to boost awareness of cybersecurity problems.
INSKEEP: More than one piece of legislation, if I'm not mistaken. So, what are the key differences, the key approaches, the different approaches to this?
GJELTEN: Mostly it comes down to whether you require companies to improve their cybersecurity or just encourage them. The most prominent bill is sponsored by Senators Joe Lieberman of Connecticut, Susan Collins of Maine, and others. It would require companies to notify the Department of Homeland Security, DHS, of any and all intrusions into their networks.
As of now, they don't have to tell anyone when they've been attacked. It would also establish baseline cybersecurity standards that all companies in a particular sector would be required to meet. But it has run into some strong opposition.
SENATOR JOHN MCCAIN: Unelected bureaucrats at the DHS could promulgate prescriptive regulations on American businesses.
GJELTEN: This is Senator John McCain of Arizona.
MCCAIN: The regulations that would be created under this new authority would stymie job creation, blur the definition of private property rights, and divert resources from actual cybersecurity to compliance with government mandates.
GJELTEN: Senator McCain is reading from a statement there. He has a separate cybersecurity bill that promotes voluntary measures over requirements.
You also have people like Congressman James Langevin of Rhode Island, who has sponsored legislation on the House side similar to the Lieberman-Collins bill. Here's his take on why some companies oppose these requirements to improve their cybersecurity.
REPRESENTATIVE JAMES LANGEVIN: I would assess that the owners and operators of critical infrastructure have employed a minimum level of security because employing more robust cybersecurity would cost money and affect the bottom line. So they're putting profits ahead of public safety, in my opinion.
GJELTEN: It's important to recognize however, that this debate is not playing out on partisan lines. Among the strongest advocates of tough cybersecurity regulations are some national security types who served in the last Bush administration.
Michael Chertoff, the former Secretary of homeland Security, and Michael McConnell, the director of national intelligence under President Bush. McConnell says he's normally a fierce free market advocate, but he says more government regulation is sometimes needed. In this case, the need to improve our cyber-defenses warrants it.
MICHAEL MCCONNELL: This threat is so intrusive, it's so serious, it could literally suck the life's blood out of this country. And if we don't address it, it's going to be a severe impact. And so, I think we have no choice but to address it. And some of that process will be regulatory.
GJELTEN: Regulatory. So, McConnell is on the side favoring a mandatory approach.
INSKEEP: Of course all of this is being considered by the Senate, where things do not necessarily move quickly. What kind of legislation could realistically emerge in the coming weeks?
GJELTEN: Well, there's going to be some compromise between Republican and Democratic proposals. Even the advocates of strict oversight of critical infrastructure recognize there's only so much government can do in this area. The Department of Homeland Security can demand that companies improve their cybersecurity, but it's the companies themselves that know best what measures can be taken and how to take them. They're the ones with the expertise.
So no matter which cybersecurity bill gets passed, our critical infrastructure won't be protected against cyber attack unless the government and private industry find a way to work together.
INSKEEP: Tom, thanks very much.
GJELTEN: Thank you, Steve.
INSKEEP: NPR's Tom Gjelten covers national security issues.
(SOUNDBITE OF MUSIC)
INSKEEP: It's NPR News.
It's MORNING EDITION.