Eric Engleman and Chris Strohm
The Obama administration simulated a cyber attack on New York City’s power supply in a Senate demonstration aimed at winning support for legislation to boost the nation’s computer defenses.
Senators from both parties gathered behind closed doors in the U.S. Capitol yesterday for the classified briefing attended by Homeland Security Secretary Janet Napolitano, FBI Director Robert Mueller and other administration officials.
The mock attack on the city during a summer heat wave was “very compelling,” said Senator Susan Collins, a Maine Republican who is co-sponsoring a cybersecurity bill supported by President Barack Obama. “It illustrated the problem and why legislation is desperately needed,” she said as she left the briefing.
U.S. lawmakers are debating cybersecurity legislation following assaults last year on companies including New York- basedCitigroup Inc. (C), the third-largest U.S. bank by assets, and Bethesda, Maryland-based Lockheed Martin Corp. (LMT), the world’s largest defense company.
The attacks have increased concern that computer networks operated by U.S. banks, power grids and telecommunications companies may be vulnerable to hacking or viruses that may cause loss of life or inflict widespread economic harm.
The Obama administration is backing a Senate measure introduced on Feb. 14 by Collins and Senator Joe Lieberman, a Connecticut independent, that would direct the Homeland Security Department to set cybersecurity regulations for companies deemed critical to U.S. national and economic security.
A competing Senate bill from eight Republicans including John McCain of Arizona and Kay Bailey Hutchison of Texas would avoid new rules while promoting information sharing through incentives such as protection from lawsuits. Representative Mary Bono Mack, a California Republican, is preparing to introduce similar legislation in the House.
Senator Roy Blunt, a Missouri Republican, called yesterday’s demonstration “helpful because it got a whole bunch of senators thinking about the same thing at the same time.” He said the exercise didn’t sway him to support either of the Senate bills.
After the briefing, Hutchison cited similarities in the two Senate measures while criticizing the “big new bureaucracy and regulatory scheme” in the Obama-backed legislation.
The simulated attack “was intended to provide all senators with an appreciation for new legislative authorities that could help the U.S. government prevent and more quickly respond to cyber attacks,” Caitlin Hayden, a White House spokeswoman, said in an e-mail after the briefing.
A cyber attack leaving New York without power for a prolonged time could have “disastrous” effects, potentially severing communications, crashing life-saving medical equipment and destroying networks that run financial institutions, according to Lawrence Ponemon, chairman of the Ponemon Institute LLC, a research firm based in Traverse City, Michigan.
“I would project that you would have literally thousands of people dying,” Ponemon said in an interview. “A cyber attack on electrical grids that was sustained for three to four weeks would be like returning to the dark ages.”
A blackout that swept parts of North America in August 2003 left 50 million people in the dark for as long as four days. Hackers could cause blackouts “on the order of nine to 18 months” by disabling critical systems such as transformers, said Joe Weiss, managing director of Applied Control Solutions LLC, a Cupertino, California-based security consulting company.
“The dollars are incalculable,” Weiss said. The 2003 event, triggered when a power line touched tree branches in Ohio, caused losses of as much as $10 billion, according to a study by the U.S. and Canadian governments.
Internet Providers Object
Internet-service providers, including AT&T Inc. (T) and Comcast Corp. (CMCSA), opposed new cybersecurity regulations at a House hearing yesterday. The companies said they prefer measures to improve voluntary sharing of information about cyberthreats.
Government-imposed rules could impede innovation, the Internet providers said in testimony to a House Energy and Commerce subcommittee.
“Such requirements could have an unintended stifling effect on making real cybersecurity improvements,” Edward Amoroso, chief security officer for Dallas-based AT&T, said in testimony at the hearing. “Cyber adversaries are dynamic and increasingly sophisticated, and do not operate under a laboriously defined set of rules or processes.”
AT&T is the second-largest U.S. wireless carrier. Philadelphia-based Comcast, the leading U.S. cable provider, and Monroe, Louisiana-based CenturyLink Inc. (CTL) expressed similar views in their prepared testimony.
Senate Majority Leader Harry Reid, a Nevada Democrat, has said he wants to bring the Lieberman-Collins bill to the chamber’s floor for a vote as soon as possible, though he hasn’t given a date. The measure is co-sponsored by Democrats Jay Rockefeller of West Virginia andDianne Feinstein of California.
The Lieberman-Collins bill is S. 2105 and the McCain bill is S. 2151.