By ASHTON B. CARTER and JANE HOLL LUTE
A disruption of our electric grid or other critical infrastructure could
temporarily cripple the American economy. What’s less well known is
that such an attack could threaten the nation’s defense as well.
Ninety-nine percent of the electricity the military uses comes from
civilian sources. Ninety percent of military voice and Internet
communications travel over commercial networks. Much of the country’s
military logistics are handled by commercial shippers who rely, in turn,
on privately managed networks.
As we protect our ports and coastlines, so must we marshal resources and
techniques to mount an adequate defense of our networks. Our port
security is ensured by a combination of the Coast Guard, Customs and
Border Protection, state and local governments, and private shipping
companies and port operators, with the support of the Navy and the
intelligence agencies. Together, they patrol American waters, scan
cargo, analyze and share information about threats to our coastlines,
and report suspicious behavior to the proper authorities. If any of
these layers were to be removed, our defenses would be weakened.
Effective cybersecurity requires a similar multilevel approach. We have a
final line of cyberdefense in the Defense Department’s Cyber Command,
which defends the nation against advanced cyberattacks, and we have a
strong cyberintelligence system in the National Security Agency, which
detects cyberthreats from overseas. But we need additional levels of
defense to protect the nation’s critical infrastructure.
Collective problems require collaborative solutions. The government and
private sector must work together to prevent cyberdisruption,
cyberdestruction and theft of intellectual property. This requires
robust sharing of information between the government and private sector,
aggressive prosecution of cybercriminals, and cooperation among federal
agencies.
Simply put, the Cybersecurity Act would help by enabling the government
to share information about cyberthreats with industry. The legislation
would also permit the private sector to report cyberintrusions to the
government or private companies. That ability would increase awareness
of cyberthreats, while leaving the private sector in control of which
information is shared. It would do all of this while protecting privacy
and civil liberties, through robust oversight and accountability
measures.
None of us want to see heavy government regulation, especially of the
Internet, the fount of so much innovation and economic productivity. The
legislation would provide meaningful baseline cybersecurity standards
for industry, developed and adopted through a joint industry-government
process.
Although the American economy needs effective cybersecurity measures to
function and prosper, many providers of critical infrastructure have not
invested in basic strategies to defend themselves against cyberthreats.
Meaningful standards will help drive companies to invest and help fill
the gaps in our nation’s cyberdefenses.
Finally, the Cybersecurity Act would ensure that the Department of
Homeland Security has the ability to protect federal networks and assist
the private sector effectively and efficiently, by strengthening the
department’s legal authority.
The Department of Defense stands ready to support the Department of
Homeland Security and any other agency in protecting the nation’s
critical infrastructure. Together, our two departments can bring our
technical ability to bear and improve the nation’s stock of
cybersecurity tools and technology.
This legislation is a critical step for defending America’s
infrastructure against the clear and present cyberthreats we face. We’re
not going to solve this problem overnight; it will involve a learning
experience for both the private sector and the government, but we must
learn fast, and develop solutions as quickly as possible. The
legislation will help pave the way to American security and prosperity
in the information age. It deserves the full support of Congress and the
American people.