Originally Published: October 14, 2012 12:01 a.m.
The risk of a devastating cyberattack on the United States is real. But is it too remote to justify the costs of countermeasures? That's the quandary. There's no question the country remains vulnerable to an electronic Pearl Harbor as debate goes on over the role the federal government should play in securing computer networks that control the electrical grid, water supply and other critical sectors.
Where they stand:
President Barack Obama wants owners and operators of essential U.S. infrastructure to meet minimum cybersecurity standards that the private sector and federal agencies would develop together. He says federal agencies and businesses should exchange information about looming cyberthreats or malicious software that can damage computer networks.
Republican presidential candidate Mitt Romney says within his first 100 days in office he would order all federal agencies to develop a national strategy to deter and defend the country from cyberattacks. Romney's Republican allies in Congress support the sharing of cyberthreat information but oppose giving Washington a say in how the private sector protects its networks.
Why it matters:
Without warning, the electricity goes out, leaving you and your family in the dark for days, perhaps weeks. Or the gates of a dam holding back millions of gallons of water open suddenly and flood towns below. Or pipes in a chemical plant rupture, releasing deadly gas.
Any one, or all, of these nightmare scenarios could be invisibly set in motion by hackers, terrorist groups or foreign governments with the motivation and technical knowhow. Gen. Keith Alexander, head of U.S. Cyber Command, has rated the country's preparedness for a major cyberattack as poor, a 3 on a scale of 1 to 10.
But Congress hasn't taken action to bolster digital defenses.
The ideological divisions between Republicans and Democrats have grown so wide that the parties can't agree on how to confront a risk they acknowledge is real. At its core, the stalemate is a microcosm of the larger argument underpinning the presidential campaign: How involved should the federal government be in the economy and people's lives?
The risk to critical infrastructure comes from the heavy reliance of these industries on computer systems that remotely control functions once handled by humans, such as the opening and closing of valves and breakers, the switching of railroad tracks and the detection of leaks in oil and gas pipelines. Sending false commands to these systems or disabling them could be disastrous.
Obama says holding companies to minimum security standards would ensure no one is cutting corners. Republicans say that approach will only lead to costly, time-consuming regulations and red tape that won't reduce the risk.
Both sides agree there needs to be a way to share sensitive information about incoming attacks. Yet there are disagreements over how best to ensure these exchanges don't violate rights to privacy or civil liberties.
Politics isn't the only hurdle. The impact of a major cyberattack is hard to grasp because the U.S. hasn't been the target of one. That means less pressure on Congress to act. Cybersecurity experts worry it will take an actual attack to get people sufficiently concerned. The Stuxnet computer worm that infiltrated Iran's nuclear program is a reminder of how debilitating an electronic assault can be.
Gen. Martin Dempsey, the nation's top military officer, worries a cyberattack on critical infrastructure would imperil the armed forces, as well as civilians, because commercial transportation systems and electrical grids are part of the nation's defenses.
"The uncomfortable reality of our world today is that bits and bytes can be as threatening as bullets and bombs," Dempsey, the Joint Chiefs of Staff chairman, told lawmakers.