WASHINGTON â€” Businesses, utilities, government agencies and research organizations in Tennessee will be watching closely this week as Congress considers a slate of bills to combat cyberattacks.
Homeland Security Secretary Janet Napolitano has called cyberattacks â€œthe most quickly evolving and most troubling set of threatsâ€ that her department sees, and technology experts say those threats could hit close to home in Tennessee.
The Department of Homeland Security considers the stateâ€™s manufacturers, water processing and chemical plants, nuclear reactors, power grids, banking systems and government facilities as â€œcritical infrastructure,â€ meaning cyberattacks on the facilities could jeopardize safety and public health.
And cybercriminals from China, Russia and around the world are increasingly targeting U.S. businesses and research organizations â€” as recent attacks on Google and the NASDAQ stock exchange show â€” in an effort to steal intellectual property, experts say.
That has spurred congressional lawmakers from both parties to introduce a flurry of bills to crack down on Internet crime â€” but they canâ€™t agree on what legislation should look like.
Tennessee Democratic Rep. Jim Cooper and Republican Reps. Marsha Blackburn, Chuck Fleischmann and Phil Roe have signed on to legislation that would encourage the intelligence community and private sector to share certain information to better protect computer networks from cyberthreats.
The Cyber Intelligence Sharing and Protection Act would allow private companies and the government to share any information â€œdirectly pertaining to a vulnerability of, or threat to,â€ a computer network. Currently, the government canâ€™t share classified intelligence on cyberthreats with the private sector.
The bill and as many as four other cybersecurity proposals are expected to be considered on the House floor next week. It has more than 110 co-sponsors but hasnâ€™t won over some critics who say it could allow companies to share individualsâ€™ private data.
Cooper said the bill would allow the government to share valuable expertise with companies.
â€œBecause our Pentagon and other government agencies are attacked thousands of times a day, we have learned ways to help American business and individuals guard against identity theft of their customers, disruption of electricity and water service, and other threats to daily living,â€ he said.
Blackburn introduced a similar measure last month â€” the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology (SECURE IT) Act â€” that would encourage private companies to share information about online threats with the government and toughen penalties for cybercrimes. Her bill and a companion one in the Senate have not yet received a committee vote.
Senate bill stricter
The House bills stand in contrast to a Senate measure that would allow the Homeland Security Department to require certain high-risk computer systems to meet security standards. Napolitano said her department needs such power to ensure that the nationâ€™s most critical networks â€” at utilities, banks and transportation systems, for example â€” are protected from terrorist threats.
She said allowing companies to share information voluntarily, as the House bills would do, isnâ€™t enough.
â€œThey can already do voluntary, and that hasnâ€™t happened,â€ she told the Tennesseanâ€™s Washington Bureau in a recent interview. â€œWe know from talking to the chief information officers in a lot of these companies that investment in cybersecurity is not considered a core competency. It needs to be, and we need some base performance standards to ensure that it is.â€
But House Republicans and some technology experts say added regulation wouldnâ€™t help, and it could force companies to spend more time on compliance than on brainstorming new ways to counteract threats.
â€œI donâ€™t think the federal government is very good at even understanding what to do from a security perspective,â€ said John Kindervag, a senior analyst at Forrester Research. â€œWhat Iâ€™ve seen is a lot of the government practices are far behind what corporate America does.â€
A growing concern
Itâ€™s not clear exactly how many serious cyberattacks occur each year because security breaches arenâ€™t regularly broadcast. But businesses, utilities and researchers in Tennessee say cybersecurity is a growing concern.
â€œWeâ€™ve significantly ramped up our defensive and detection measures in the last year,â€ said Mike Bartell, chief information officer at Oak Ridge National Laboratory. â€œItâ€™s getting very hard to tell the imposters or the posers from the real stuff and still be able to conduct business.â€
He said several national labs had â€œcyberincidentsâ€ last year. His biggest concern is intellectual-property theft that could compromise the labâ€™s research, he said.
Tom Pigg, a professor of computer information systems at Jackson State Community College, said Tennesseeâ€™s community colleges offered almost no cybersecurity courses five years ago. Now, at least half of them offer courses, and some let students concentrate in the subject, he said.
He said hackers can aim at any vulnerable target â€” even unlikely ones.
â€œEven in rural areas in Tennessee, if somebody wanted to target something â€” if they had the proper tools and were able to penetrate some type of a network â€” they could cause damage,â€ he said.
Greg Glasscock, the owner of Nashville-based Computer Vision, said large companies, utilities and government agencies should stay alert and train their employees not to open unfamiliar emails or click suspicious links.
â€œEverybody should be concerned, but the bigger the business, the bigger the footprint you have on the Web, so the more security youâ€™re going to have to have to protect yourself,â€ he said.