INSIGHT: White House may move to thwart ‘cyber Pearl Harbor’

18 October 2012 15:37  [Source: ICIS news]

US vulnerable to a By Joe Kamalick

WASHINGTON (ICIS)--Top-level talk of a “Pearl Harbor” cyber attack on US infrastructure and manufacturing may signal a move by the White House to impose a unilateral cyber security mandate on industry, a prospect that makes chemicals producers and other manufacturers uneasy.

The Obama administration is said to be close to issuing an executive order (EO) to establish federal requirements, controls over and access to industrial IT networks and other systems with the aim of preventing a wide scale cyber-terrorism attack.

For many in the US business community and among some in Congress, that presumptive cure might prove more problematic than a potential attack.

The US House and Senate have been mulling several cyber security bills over the last year (S-2151, S-2105, HR-3674, HR-4257) but no one measure has been able to win Democrat and Republican support in both chambers amid concerns about privacy issues, government intrusion into business affairs, more regulatory burdens and the possible loss of proprietary information.

In the absence of action by Congress, Obama administration aides have been meeting with Senate staffers, apparently to work out the broad parameters of a soon-to-come executive order.

And now, in the wake of a hair-raising speech by US Defense Secretary Leon Panetta, prospects for a unilateral cyber-security mandate from the White House are said to have accelerated.

In his speech to business executives whose firms are involved in national security operations, Panetta warned that “A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11”.

“Such a destructive cyber terrorist attack could paralyse the nation,” he added.

Citing recent and accelerated cyber attacks against US financial institutions and Middle East state-operated oil and gas producers, Panetta said that “These attacks mark a significant escalation of the cyber threat.

“We know that foreign cyber actors are probing America’s critical infrastructure networks,” he said.  “They are targeting the computer control systems that operate chemical, electricity and water plants and those that guide transportation throughout the country.”

With the goal of causing widespread panic, facility destruction and even the loss of life, Panetta said that “An aggressor nation or extremist group could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals.

“The collective result of these kinds of attacks could be a ‘cyber Pearl Harbor’,” he said, “an attack that would cause physical destruction and loss of life, paralyse and shock the nation and create a profound new sense of vulnerability.”

He said that to best defend private sector infrastructure facilities, “we must share information between the government and the private sector about threats in cyberspace”.

“Working with the business community, we need to develop baseline standards for our most critical private sector infrastructure,” he said, adding: “This would help ensure that companies take proactive measures to secure themselves against sophisticated threats, but also take commonsense steps against basic threats.”

“Although awareness is growing, the reality is that too few companies have invested in even basic cyber security,” Panetta said.

“While we wait for Congress to act,” he said, “the administration is looking to enhance cyber security measures under existing authorities – by working with the private sector to promote cyber security best practices and increase information sharing.

“Issuing an executive order is one option under consideration,” he said.

Therein lies the rub.

While legislation crafted by members of Congress in both the House and Senate would likely reflect the concerns if not the preferences of various stakeholders, an executive order issued by the president might not share the stakeholder consensus.

Executive orders are issued by the president under existing law to require, prohibit or regulate specific activities. But critics of executive orders argue that presidents use them to make law without congressional approval, circumventing the balance of powers provisions of the US Constitution.

Eleven members of Congress recently wrote to President Barack Obama, urging against an executive order for a cyber-security mandate.

“While we have not seen your proposed executive order,” the members wrote, “multiple reports suggest that it would authorise the Department of Homeland Security (DHS) to determine what constitutes ‘critical infrastructure’ and then adopt certain standards for how such infrastructure is managed to guard against cyber threats.”

“This is the wrong approach,” the senators and representatives argued, in particular noting that recent congressional reports on “severe mismanagement” at DHS in implementing the Chemical Facility Anti-Terrorism Standards (CFATS) “do nothing to increase our confidence”.

Scott Jensen, spokesman for the American Chemistry Council (ACC), noted that cyber security for chemical facilities is already regulated under CFATS.

The chemicals sector, he said, “may be one of the few critical infrastructures that is already regulated on cyber security”.

“We come from a unique perspective because of the work we have already done and the requirements we already have,” he said, “and this needs to be recognised in any further federal imposition of cyber security requirements.”

That sort of recognition is more likely to come in the legislative process than in an executive order, he noted.  “We would prefer a legislative approach rather than an executive order,” Jensen said.

Christine Sanchez, spokeswoman for the Society of Chemical Manufacturers and Affiliates (SOCMA), pointed out that Congress has already put a lot of work and consideration into various cyber security measures, arguing that the legislature should be allowed to do its work.

“Lawmakers are still grappling with the burden this will place on the private sector, which speaks to the need for Congress to continue measured, careful deliberation over the parameters of cyber reform rather than relegating it to a sweeping edict,” she said, referring to an executive order mandate.

"SOCMA opposes an executive order to try to circumvent Congress and hopes the issue will be addressed during the lame duck session or in the coming year, which would be a more appropriate course of action,” she said. 

A “lame duck” session of Congress follows a US national election – such as the coming 6 November vote – in which some members of the Senate and House who have been voted out of office would nonetheless be acting on legislation for which they will not have to answer to the public once they leave office in January.

The 11 members of the House and Senate who urged against an executive order on cyber security also voiced concerns that a unilateral action in this critical area by the president would encourage and even justify moves by repressive governments abroad to restrict internet access.

“An executive order exerting influence over critical infrastructure [cyber operations] is not just a step in the wrong substantive direction,” they wrote.  “It will almost certainly be exploited by other nations to justify their efforts to regulate the internet.”

“This is a most critical time, and we cannot afford a hasty, unilateral action that will only serve to bolster the efforts of less democratic nations to stifle the very free exchange of ideas and expression that has allowed the Internet to flourish across the globe,” they said.

Paul Hodges studies key influences shaping the chemical industry in Chemicals and the Economy


By: Joe Kamalick
+1 713 525 2653



AddThis Social Bookmark Button

For the latest chemical news, data and analysis that directly impacts your business sign up for a free trial to ICIS news - the breaking online news service for the global chemical industry.

Get the facts and analysis behind the headlines from our market leading weekly magazine: sign up to a free trial to ICIS Chemical Business.

Printer Friendly