The 9/11 Commission, in its 10th anniversary report, cautions Americans and the U.S. government to treat cyberthreats more seriously than they did terrorist threats in the days and weeks leading to Sept. 11, 2001.
"One lesson of the 9/11 story is that, as a nation, Americans did not awaken to the gravity of the terrorist threat until it was too late," says the report, published July 22. "We must not repeat that mistake in the cyber realm."
Americans did not awaken to the gravity of the terrorist threat until it was too late. We must not repeat that mistake in the cyber realm.
But the 9/11 commissioners suggest that's exactly what's happening, taking a swipe at Congress for its inability "to pass basic cybersecurity legislation" despite a "growing chorus of senior national security officials [who] describe the cyber domain as the battlefield of the future."
"Congress's failure to enact comprehensive cybersecurity legislation exacerbates this unpreparedness and puts the country at risk," the updated commission report says.
Perhaps one reason Congress has failed to enact cybersecurity legislation is that Americans haven't demanded it; there's no big constituency for it. The commissioners say they see a waning sense of urgency on the threats to the nation - not just cyber but physical. "The absence of a major attack on American soil does not mean that the terrorist threat has diminished," the report says.
And the major breaches such as Target, eBay and others, as well as publicized assaults on the government to steal secrets and businesses to pilfer intellectual property, haven't resonated with a large portion of the citizenry.
The commissioners urge government and business leaders to explain to the public - "in clear, specific terms" - the severity of the cyberthreat and what's at stake for our country. "If this case is made to the American people," the report says, "we believe that they will support the measures needed to counter the cyberthreat."
Among other recommendations from the commission: the U.S. government should do more to deter cyber-attacks from state adversaries and the administration and Congress must clearly delineate the respective responsibilities of various government agencies in the cyber realm.
Leaks by former National Security Agency contractor Edward Snowden have had had an adverse impact on attracting young people to the security field, which may have "dented young Americans' enthusiasm for national security work," the commissioners say.
"While there was a post-9/11 upsurge in the number of young people applying for national security jobs, recent headwinds appear to have seriously affected recruiting efforts," the report says, noting that NSA applications fell by one-third in the wake of disclosures of NSA meddling. "The threat to the country remains very real, and these agencies are doing work that keeps us all safe," the report says. "These leaks should not dissuade talented, patriotic young people from considering careers in national security."
The anniversary report comes at a time when Congress is considering a number of bills aimed at battling the cyberthreat, including the Cybersecurity Information Sharing Act of 2014, which earlier this month passed the Senate Intelligence Committee. That bill has pitted privacy and civil liberties advocates against big business (see Cybersecurity Info Sharing Bill Draws Criticism).
This week two business groups - the U.S. Chamber of Commerce and the American Bankers Association - reiterated their support for CISA. They backed a draft of the measure several weeks back, but reserved final judgment until they had time to review the version of the bill that passed in a secret meeting of the Senate Intelligence Committee. They particularly like the bill's liability protections that aims at limiting or preventing lawsuits that could results from the content of cyberthreat information businesses share.
"Companies should be able to share cyberthreat information with the government without fear of liability," the commission report recommends, without endorsing a specific bill.
The fate of the bill rests with Senate Majority Leader Harry Reid, D-Nev., who has yet to schedule a vote.
Frustration with Congress
Doug Johnson, executive vice president at the American Bankers Association, is hopeful the bill will come up for a vote in the Senate.
"What's been frustrating over the course of the last few years is that we've been unable to reach a point where both houses can agree upon on what the platform is to even begin the conversation," Johnson says. "We're potentially closer to that than we have been [but] I'm not going to lay odds on whether or not we get there this year or not."
Politico reported in its July 22 Morning Cybersecurity report that a concerted effort is under way to expedite a House vote on the National Cybersecurity and Critical Infrastructure Protection Act in the coming weeks (see Committee Unanimously OK's Critical Infrastructure Measure). That bill would codify the National Cybersecurity and Communications Integration Center, a federal civilian agency within the Department of Homeland Security that promotes real-time cyberthreat information sharing across critical infrastructure sectors. If the House passes this bill, and the Senate passes CISA, the actions could serve as a foundation for a House-Senate conference committee to work out compromise legislation. Then, again, it would need to pass both houses again and win President Obama's approval.
That's a lot of ifs in a year with few legislative days left. But, perhaps, Congress has learned the lesson of 9/11 and will act to bolster its cyberdefenses before a catastrophic event occurs.