Risk & Insurance Online

iBig Brother | Risk & Insurance | We can probably all agree that we don't want intruders breaking into our critical infrastructure and disrupting essential services through cyberattacks on private computer networks.

By Patricia Vowinkel

The question, though, is how to keep them out.

The federal government is currently pushing legislation known as the Cybersecurity Act of 2009, which would give it the power to set and enforce security standards for private industry for the first time. The proposals would broaden the focus of the government's computer security efforts to include not only military networks but also private systems that control services such as electricity and water distribution.

Welcome to the 'Big Data' Era (09/15/11)
The Hack Attack Worsens (08/01/11)
Beating Back the Breach (06/01/11)
Finally Going Mobile (09/01/11)
Business as Usual Off the Table (10/01/11)

The legislation comes in response to concerns about the vulnerability of our systems after computer attacks in Estonia and Georgia in 2007 and 2008. In Estonia, a three-week wave of cyberattacks--in the form of distributed denial-of-service attacks that overwhelm networks--primarily targeted government, banking, media and police sites. Georgian government Web sites also came under attack in the weeks before and during the Russian invasion in 2008.

Perhaps it was no coincidence that just one week after the Cybersecurity Act was introduced in the Senate, the Wall Street Journal broke a story that cited unnamed sources who said that the U.S. electrical grid was penetrated by cyberspies from China, Russia and possibly other countries as well.

Legislation is certainly one way to push private industry to put up more roadblocks to keep bad guys away. I recently spoke with a cybersecurity insurance expert who believes legislation could help risk managers by providing a kind of road map, with some uniform guidelines, as they fight the good fight against these intruders.

He pointed out that legislation such as Gramm-Leach-Bliley, the Health Insurance Portability and Accountability Act and Sarbanes-Oxley have helped private industry strengthen its network security, providing a minimum expectation.

And the bill does call for setting standards. It would require the National Institute of Standards and Technology to establish "measurable and auditable cybersecurity standards" applying to private companies as well as the government.

Also of interest to the risk management community: The legislation calls for a congressional cybersecurity report on the feasibility of creating a system of civil liability and insurance, including government reinsurance. It also would address the feasibility of factoring cybersecurity in all bond ratings.

Skeptics have raised some red flags. For instance, the legislation, sponsored by Sen. John D. Rockefeller IV, D-W.Va., and Sen. Olympia Snowe, R-Maine, also calls for the appointment of a cybersecurity "czar" who would have unprecedented authority to shut down computer networks, including private ones, if a cyberattack were underway. One wonders what limits there are on this power and the potential for abuse.

Also troubling is the question of exactly which private networks and systems would be subject to oversight. The legislation defines critical infrastructure systems and networks to include: "State, local and nongovernmental information systems and networks in the United States designated by the president as critical infrastructure information systems and networks." So essentially, it's up to the president.

Legislation has been used in the past to push private companies to improve network security. But experts are worried this bill overreaches, could weaken existing privacy safeguards and fails to address the real problems of cybersecurity.

PATRICIA VOWINKEL has worked for national media outlets for more than 20 years.

June 1, 2009

Newsletter Sign-up