John McCain, the Republican Senator from Arizona, and other Republicans opposed the bill on the grounds that the standards would have been too onerous for corporations. In the weeks leading up to the Senate vote, a compromise was struck to make those standards optional. But on Thursday, following the filibuster, the Senate voted 52 to 46 to end debate on the bill, which fell eight votes short of the 60 it would have needed to pass.
In Silicon Valley, “regulation” is often treated like a four-letter word. But the Valley seems to have made an exception for cybersecurity, where a sort of Wild Wild West has taken hold. Criminals, “hacktivists” and government agents are able to have their way with few effective security technologies and regulations to stop them.
We contacted three Silicon Valley security experts to get their take on the bill, the cyber threat and the potential, as some have warned, for a 9/11-style cyberattack. They are Rob Rachwald, director of security strategy at Imperva, a network security firm; Roger Thornton, the chief technology officer of AlienVault, a threat detection service; and Mark Seward, a senior security director at Splunk, a data security firm.
What was your take on the bill? Should it have passed?
Mark Seward: The bill went through a metamorphosis over time. At one point it had real teeth for industry. Then, there was compromise to remove that. The fact is, it’s needed.
Rob Rachwald: It wasn’t going to make any difference. The bill lost its teeth when it dropped the security mandate clause. The problem is that it was all sticks and no carrots. It included security mandates but it did not say, ‘We’re going to invest more in law enforcement, or create a central exchange where you can see where threats are coming from.’ It just said, ‘We’re going to impose a bunch of stuff on you.’ And then, ‘Actually, we’re going to make that voluntary.’ It lost its teeth. It became an empty suit.
What was the opportunity lost?
Mr. Seward: This is a huge setback. Frankly, every day we don’t pass legislation is a huge setback. It’s the difference between whether we want to be a third world country or a first world country. I’ve traveled abroad and experienced power outages firsthand. The resilience of our infrastructure’s ability to resist an attack is the mark of a first world country. Not being able to trust that water is going to come out of the tap, or that when I light my stove natural gas is going to come out, is a real problem in a first world country. A cyberattack could literally mean that the things we most take for granted won’t be available.
Mr. Rachwald: After the standards became voluntary, it was a wash. The real opportunity loss was the fact that, at least initially, they wanted to build a centralized exchange between the public and private sectors for threat information. They weren’t clear how they were going to do it, but the fact they wanted to do it was important. If nytimes.com gets hacked by someone with ‘IP address 123’ it might look like an isolated incident. But if law enforcement could see that there was an attack from that IP address against multiple news sites, it would indicate that something much bigger was happening. That was the real opportunity missed here.
Roger Thornton: The fact is, intellectual property is being stolen from the industrial base at outrageous rates. Companies are getting broken into all the time. But the idea that there’s some kind of regulation — some sweeping mission to Mars — that is going to solve the whole thing overnight, well, that’s just not going to happen.
This regulation wouldn’t dramatically change the business of cybersecurity in my opinion. It would only build awareness — which is good. Maybe if it had passed 10 years ago, we might have avoided these problems. But now, it’s a different story.
Last week, Shawn Henry, the F.B.I.’s former top cybercop, warned of a 9/11-style cyberattack and said the public won’t take the threat seriously until they experience it firsthand. Is that fear-mongering? When do you think we will witness such an attack?
Mr. Seward: It’s my understanding that the Department of Homeland Security’s incident response team discovered that oil rigs are already under attack. But the fact that I can sit here and imagine scenarios where a key component, like water, might not be available to nuclear reactors is disconcerting. There are plenty of scenarios where the point at which two different parts of critical infrastructure intersect — like oil and gas pipelines, nuclear plants and water treatment facilities — could be jeopardized. All those things are interconnected. Our ability to have the society we have depends on the interconnection of those systems. An attack could happen tomorrow. It could happen next year. Or it could happen 10 years from now. There’s no predicting.
Mr. Rachwald: It’s always quote-unquote imminent. The point is, this legislation would have forced people to think about the threat much more seriously than they will otherwise.