Just over two months ago, the House Homeland Security subcommittee that oversees cybersecurity unanimously approved the Precise Act, legislation requiring the relatively few companies that run our nation’s critical infrastructure, such as the electric grid and water systems, to ensure their computer networks meet minimum safety standards. Just as the airline industry must follow Federal Aviation Administration safety standards, the companies that own and operate the infrastructure on which the public most relies should be accountable for protecting their consumers when confronted with a significant risk.
The Precise Act, sponsored by subcommittee Chairman Dan Lungren (R-Calif.), was the result of a bipartisan commitment to address a major national security challenge. I was proud to be part of its development and to become an original co-sponsor.
Unfortunately, despite the best intentions of many members on the other side of the aisle, House Republican leadership appears determined to approach this vital national security challenge like every other issue: in an extremely partisan way that impedes progress, in this case siding with those in critical industries who are neglecting public safety. The leaders pressured the committee to remove any critical infrastructure requirements.
Congress has traditionally set aside partisan differences to deal with vital national security issues, as demonstrated by the other committees that have worked on cybersecurity legislation in this session. In fact, members of both parties on the Homeland Security Committee have come to the same basic conclusion: the status quo of voluntary action will not result in strong cyber protections for our most valuable and vulnerable industries.
Contrary to suggestions by some who oppose safety requirements, the provisions included in the original Precise Act, and in other proposals with the same intent, were not hastily drawn up in response to a few news stories. Legislation drafted in this Congress followed years of careful consideration by policymakers and subject matter experts.
Nearly five years ago, I called electric utility industry leaders before Congress to testify following a shocking demonstration at Idaho National Labs showing that hackers could remotely blow up a power generator from thousands of miles away through a cyberattack. A key witness assured us they were taking precautionary steps; it turned out this testimony had misled Congress and had to be recanted. The CSIS Commission on Cybersecurity for the 44th Presidency that I co-chaired addressed this issue within our recommendations released in 2008.
Half a decade after the Idaho National Labs event, we see more evidence of weaknesses in utilities’ cybersecurity. The president’s senior counterterrorism adviser noted this month that we know of 200 attempted or successful cyber intrusions of the control systems that run these facilities in the past year and, according to a senior FBI official, utilities in at least three U.S. cities were recently compromised.
Given the lessons learned since Sept. 11, 2001, and the FBI director’s assessment that the cyber threat will soon eclipse other terror threats, why are we faltering on our national security commitments? Is it unfair to ask private companies that operate our ports and airlines to pay for preventive steps against potential terrorist plots? Should we eliminate fire and building codes that protect citizens during earthquakes, or remove food safety requirements due to costs?
While I hope Speaker John Boehner (R-OH) and House Leader Eric Cantor (R-VA) would not support rolling back these basic protections, they have ignored bipartisan calls for preventing attacks on our critical infrastructure, which could leave millions of Americans without power or drinkable water for an extended time, leading to great economic damage and, potentially, even loss of life.
I have great respect for Chairman Lungren and a deep appreciation for his good-faith efforts throughout this process, as he has shown a steadfast commitment to the public’s best interests. It is with great disappointment that I will withdraw my co-sponsorship of the new version of the Precise Act. It’s time to move beyond the fantasy that this problem will solve itself through good intentions. Cybersecurity legislation without critical infrastructure protection is dangerously inadequate.
The secretary of Homeland Security emphasized last week that our utilities’ control systems, which are mainly in private hands, must “come up to a certain baseline level.” With increased public awareness helping to build momentum for legislative action, we have a real chance to address these threats to critical infrastructure.
I hope we will not look back at this moment years from now, regretting a missed opportunity after damage has been done.
Langevin is co-founder of the Congressional Cybersecurity Caucus and ranking member of the Armed Services subcommittee on Emerging Threats and Capabilities.