TN seen as likely cyber target

WASHINGTON — Businesses, utilities, government agencies and research organizations in Tennessee will be watching closely this week as Congress considers a slate of bills to combat cyberattacks.

Homeland Security Secretary Janet Napolitano has called cyberattacks “the most quickly evolving and most troubling set of threats” that her department sees, and technology experts say those threats could hit close to home in Tennessee.

The Department of Homeland Security considers the state’s manufacturers, water processing and chemical plants, nuclear reactors, power grids, banking systems and government facilities as “critical infrastructure,” meaning cyberattacks on the facilities could jeopardize safety and public health.

And cybercriminals from China, Russia and around the world are increasingly targeting U.S. businesses and research organizations — as recent attacks on Google and the NASDAQ stock exchange show — in an effort to steal intellectual property, experts say.

That has spurred congressional lawmakers from both parties to introduce a flurry of bills to crack down on Internet crime — but they can’t agree on what legislation should look like.

Tennessee Democratic Rep. Jim Cooper and Republican Reps. Marsha Blackburn, Chuck Fleischmann and Phil Roe have signed on to legislation that would encourage the intelligence community and private sector to share certain information to better protect computer networks from cyberthreats.

The Cyber Intelligence Sharing and Protection Act would allow private companies and the government to share any information “directly pertaining to a vulnerability of, or threat to,” a computer network. Currently, the government can’t share classified intelligence on cyberthreats with the private sector.

The bill and as many as four other cybersecurity proposals are expected to be considered on the House floor next week. It has more than 110 co-sponsors but hasn’t won over some critics who say it could allow companies to share individuals’ private data.

Cooper said the bill would allow the government to share valuable expertise with companies.

“Because our Pentagon and other government agencies are attacked thousands of times a day, we have learned ways to help American business and individuals guard against identity theft of their customers, disruption of electricity and water service, and other threats to daily living,” he said.

Blackburn introduced a similar measure last month — the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology (SECURE IT) Act — that would encourage private companies to share information about online threats with the government and toughen penalties for cybercrimes. Her bill and a companion one in the Senate have not yet received a committee vote.

Senate bill stricter

The House bills stand in contrast to a Senate measure that would allow the Homeland Security Department to require certain high-risk computer systems to meet security standards. Napolitano said her department needs such power to ensure that the nation’s most critical networks — at utilities, banks and transportation systems, for example — are protected from terrorist threats.

She said allowing companies to share information voluntarily, as the House bills would do, isn’t enough.

“They can already do voluntary, and that hasn’t happened,” she told the Tennessean’s Washington Bureau in a recent interview. “We know from talking to the chief information officers in a lot of these companies that investment in cybersecurity is not considered a core competency. It needs to be, and we need some base performance standards to ensure that it is.”

But House Republicans and some technology experts say added regulation wouldn’t help, and it could force companies to spend more time on compliance than on brainstorming new ways to counteract threats.

“I don’t think the federal government is very good at even understanding what to do from a security perspective,” said John Kindervag, a senior analyst at Forrester Research. “What I’ve seen is a lot of the government practices are far behind what corporate America does.”

A growing concern

It’s not clear exactly how many serious cyberattacks occur each year because security breaches aren’t regularly broadcast. But businesses, utilities and researchers in Tennessee say cybersecurity is a growing concern.

“We’ve significantly ramped up our defensive and detection measures in the last year,” said Mike Bartell, chief information officer at Oak Ridge National Laboratory. “It’s getting very hard to tell the imposters or the posers from the real stuff and still be able to conduct business.”

He said several national labs had “cyberincidents” last year. His biggest concern is intellectual-property theft that could compromise the lab’s research, he said.

Tom Pigg, a professor of computer information systems at Jackson State Community College, said Tennessee’s community colleges offered almost no cybersecurity courses five years ago. Now, at least half of them offer courses, and some let students concentrate in the subject, he said.

He said hackers can aim at any vulnerable target — even unlikely ones.

“Even in rural areas in Tennessee, if somebody wanted to target something — if they had the proper tools and were able to penetrate some type of a network — they could cause damage,” he said.

Greg Glasscock, the owner of Nashville-based Computer Vision, said large companies, utilities and government agencies should stay alert and train their employees not to open unfamiliar emails or click suspicious links.

“Everybody should be concerned, but the bigger the business, the bigger the footprint you have on the Web, so the more security you’re going to have to have to protect yourself,” he said.