Skip to main content

Congress hears alarm bells about cybersecurity

From Charley Keyes, CNN Senior National Security Producer
Simulated electronic attacks were planned at the National Cybersecurity and Communications Integration Center.
Simulated electronic attacks were planned at the National Cybersecurity and Communications Integration Center.
  • Mubarak's shutdown of the internet in Egypt should be a lesson for the U.S., expert says
  • The action "magnified concerns" about giving a president that power, says Gregory Nojeim
  • "There's no silver bullet for security," another witness says

Washington (CNN) -- The recent internet clampdown by then-Egyptian President Hosni Mubarak should raise fresh concerns in the United States about extending similar emergency powers to the U.S. president, even in the event of a cyberattack, an internet watchdog warned Congress Friday.

"When the government of Egypt cut off internet services on January 27, 2011, to much of its population in order to stifle dissent in an uprising, it magnified concerns about extending cyber security emergency authority to the U.S. president," Gregory Nojeim of the Center for Democracy and Technology said in a statement submitted to a congressional subcommittee.

The internet cutoff in Egypt "illustrated the First Amendment concerns that would attend use of such authority in the U.S.," he said.

Nojeim was among witnesses testifying before the House Armed Services Subcommittee on Emerging Threats and Capabilities.

Of particular concern to the subcommittee is how the United States would respond to a successful cyberattack and whether the Defense Department is able and authorized to take the lead.

The subcommittee chairman, Rep. Mac Thornberry, R-Texas, said the traditional expectation is that the U.S. military would defend the country from outside threats.

"If a formation of planes or hostile-acting ships came barreling toward a factory or refinery in the U.S., we know pretty well what we expect the military to do," Thornberry said. "But what do we expect, or should we expect, if a bunch of malicious, or potentially malicious (data) packets come barreling toward that same factory or facility in cyberspace?"

Thornberry warned that the country's cyber vulnerability is increasing because of greater dependence on ever-more-sophisticated electronics to run the power grid, banking, communications and national security.

"Cyber is a new domain of vandalism, crime, espionage and, yes, warfare, but we are not very well equipped to deal with any of those challenges," Thornberry said.

Nojeim, whose organization calls for an internet that is open and free, says shutting down private computer networks during a crisis could have unforeseen effects. It might even worsen a crisis, he said, if private networks hesitated to share information with the government or delayed action on their own.

Gerry Cauley, CEO of the North American Electric Reliability Corporation, an organization of electricity grid operators, said the security of the nation's grid is improving.

"In terms of the actual evolving security of the grid, I believe we are enhancing that continuously," he said. "We have standards for firewalls and protections and access controls and those kinds of things so the actual security is progressing in terms of continuously improving."

Cauley said power companies continue to develop new ways to test how they would understand and respond to future crises.

"The challenge is what's the worst thing that could happen," he said. "And we are in the process of working with the Department of Defense to postulate some potentially extreme events like the takedown of a major city, the takedown of major oil refineries or military installations."

Despite hearings like the one Friday and ongoing debate inside and outside of Congress, no one is exactly sure what role the military would play if there were a major cyberdisruption of the civilian world.

Rep. Hank Johnson, D-Georgia, said Congress must solve those jurisdictional questions and set out the role of the Defense Department and the Department of Homeland Security.

"Just as the military does not police our streets, it should not police our civilian cyber-infrastructure," Johnson said. "But we must ensure that the armed forces have the necessary tools to protect and defend the country from cyberwarfare."

He said government should impose what he called "hard regulatory requirements" on private industry to ensure companies protect themselves and the national infrastructure from cyberthreats.

Shari Pfleeger, of the Institute for Information Infrastructure Protection at Dartmouth College, told the subcommittee there is no simple way to determine which cyberthreats should be confronted by the military and which by civilians. The military may use private computer systems for some of its operations and threats to national security could be economic or involve espionage, she said.

"I think it would be a case-by-case answer and not just a one size fits all," she said. "... There's no silver bullet for security. I think you need to look at the threat models and use the threat models to decide when the military steps in and when it shouldn't."

Some threats -- for instance, a nuclear blast in space above the United States that would create an electro-magnetic pulse that could cripple the power grid -- would be too large to handle on the civilian side, according to Cauley.

"I think the collaboration, consultation has been good but it is based on ad hoc relationships and not clear lines of reasonability and authority," he said.