Rising cyberthreats set backdrop for latest cybersecurity bill

DHS Secretary Janet Napolitano urges Congress to pass the new legislation, saying it should not wait for a '9/11 in the cyber world'

As the Senate prepares to take another stab at passing a comprehensive cybersecurity bill, a new report shows the number of cyberattacks growing dramatically from China.

China has accounted for the largest percentage of attacks since the last quarter of 2011, according to the latest State of the Internet report from Akamai, which provides one of the largest global networks for Internet content delivery. In the third quarter of last year, China accounted for 33% of cyberattacks, more than double the previous quarter.

By comparison, the combined percentage of the second and third countries, the United States and Russia, respectively, was less than 18%, Akamai reported.

"China's growth from the second quarter was fairly significant, and somewhat surprising," the report said.

Akamai is only the latest study to bolster arguments that the U.S. needs to bring private and public organizations together to protect telecommunication systems, government and corporate networks, and power plants, water filtration systems and other critical infrastructure. Adding to the urgency is the rising number and sophistication of cyberattacks.

An example of advanced threats includes dedicated denial of service (DDoS) attacks over the last several months that has sent an unprecedented amount of bogus traffic against the websites of major U.S. banks.

Over the last three years, security experts have identified three highly effective complex viruses -- Duqu, Flame and Stuxnet -- that have struck government systems around the world.

[Related news: Employees put critical infrastructure security at risk]

The growing risk is behind efforts in the U.S. Senate to try again at passing a comprehensive cybersecurity bill. A committee in the upper house is in the process of writing the Cybersecurity and American Cyber Competitiveness Act of 2013, which will eventually go to the full Senate.

Sens. John D. Rockefeller IV, chairman of the Commerce, Science, and Transportation Committee; Tom Carper, incoming chairman of the Homeland Security and Governmental Affairs Committee; and Dianne Feinstein, chairman of the Select Committee on Intelligence, introduced the proposal this week

 Experts agree on the need for legislation that would establish processes for public and private organizations to share information that would help build better defenses against attacks.

"Given the continuing attacks that we are seeing against a variety of industries, some sort of legislation is an inevitable necessity, as these businesses will all have to be on the same page to stem the tide," said Al Pascual, analyst for Javelin Strategy & Research. "The cyberthreats facing our nation are real, and we need to start getting real about a solution."

To protect the nation, security can no longer be an option for private industry in charge of critical infrastructure.

"For a law to be successful it has to address data sharing between organizations and include provisions that address/force organizations to have security," said Murray Jennex, an associate professor at San Diego State University and an expert in critical infrastructure security.

While security should be mandatory, the government cannot expect private industry to share information without protection from lawsuits related to customer privacy, Jennex said. There is also the issue of protecting data that a competitor could use.

"What I would like to see is a presidential order that allows companies and industries to work together, share attack information and risk information, and come to a consensus on what to do; all without the fear of being sued by customers," Jennex said.

Also, to avoid laws that become outdated quickly, Congress should focus on establishing data-sharing processes and security requirements, without dictating which technology is used, he said.

Congress failed last year to pass the Cyber Security Act of 2012. Opponents that managed to derail the bill included business groups that argued it contained unnecessary and onerous regulations and privacy advocates who said it did not go far enough to protect personal communications. 

The latest proposal has drawn support from Janet Napolitano, secretary of the Department of Homeland Security. In urging Congress to pass legislation, Napolitano told the Wilson Center think tank in Washington that lawmakers should not wait for a "9/11 in the cyber world."

"There are things we can and should be doing right now that, if not prevent, would mitigate the extent of damage," a Reuters report quotes Napolitano as saying.

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)