Imagine trying to make travelers go through current onerous airport security before the terror attacks of Sept. 11, 2001. That's the situation lawmakers say they are in as they seek to pass legislation to combat cyberattacks.
"There is a great divide between what American people know and understand about this threat and reality," Sen. Richard Blumenthal, D-Conn., said at an event sponsored by Politico on Thursday.
Blumenthal joined Rep. Mary Bono Mack, R-Calif., in noting that not only is much of what is known about cyberthreats classified, but there are no widely accepted examples of truly catastrophic or deadly cyberattacks.
While there are millions of various cyberattacks or breaches each year, they're rarely scary enough to make a lasting impression on the average voter, or even lawmakers for that matter. Even the most glamorous and oft-cited cyber worm, Stuxnet, simply did its damage by making nuclear centrifuges spin too fast.
The dire warnings haven't really registered for many Americans, said Bono Mack, who is developing legislation to prevent data breaches. "It's somewhat difficult because we're not really hearing about it from people back home," she said.
As the House debates up to four cybersecurity bills this week, lawmakers have done their best to scare the heck out of everyone. The House Homeland Security Committee, the Congressional Cybersecurity Caucus, and other lawmakers and federal officials have held dozens of briefings and hearings, warning of a "cyber 9/11" or "digital Pearl Harbor," in an attempt to galvanize Capitol Hill.
"America's computers and Internet infrastructure are under attack and every American is at risk," Rep. Michael McCaul, R-Texas, said at a hearing of the House Homeland Security Subcommittee on Oversight, Investigations, and Management on Tuesday.
He cited former government officials who have warned of cyberattacks that could cause trains to derail, nationwide power outages, and economic collapse. "Unfortunately, this is not a science fiction scenario... America is under attack by digital bombs."
It may not be science fiction, but so far, it is still largely hypothetical. While cyberattacks to protest, steal information, or disrupt a website are well documented, there are few, if any, examples of physical harm caused by cyberattacks. And that can be a challenge for lawmakers and officials seeking to rally individuals and companies to support new cybersecurity measures before such attacks can occur.
On Thursday, for example, two House Homeland Security subcommittees held a joint hearing to warn of cyberthreats from Iran.
"Other nations such as Russia and China may have more sophisticated cyber capabilities, but there should be little doubt that a country that kills innocent civilians around the world, guns down its own people, and calls for the destruction of the State of Israel would not hesitate to conduct a cyber attack against the U.S. Homeland," Counterterrorism and Intelligence Subcommittee Chairman Patrick Meehan, R-Pa., said at the hearing, pointing to the dangers of Iran as the "the world's largest state sponsor of terrorism."
The House is considering several potentially significant bills designed to help businesses and governments share cyberthreat information; increase federal information security; and increase cyber R&D. And lawmakers in the Senate have proposed similar measures, including a proposal to allow the Homeland Security Department to develop cybersecurity standards for some private networks.