In what has become a depressingly familiar ritual, computer-security experts revealed recently that hackers with apparent ties to a foreign government — in this case, the Chinese military — had “systematically stolen hundreds of terabytes of data from at least 141 organizations” since 2006.

But while such high-level international cyberintruders grab headlines, most successful online attacks are not all that sophisticated. Despite their Hollywood-enhanced image as inventive über-geeks, most hackers don’t actually have to work very hard to steal data or disrupt websites.

According to a new paper by James A. Lewis of the Center for Strategic and International Studies, the vast majority of successful hacks could have been stopped by relatively simple precautions, such as regularly updating software. Yet many companies don’t bother to take even the most obvious steps to guard against data theft and service disruptions, let alone equip themselves to stop high-level attacks.

The challenge for policymakers is how to solve that problem while beefing up the public’s defenses against increasingly sophisticated cyberattacks. A promising Senate bill was stymied last year by business groups afraid that it would lead to burdensome federal regulations, leading President Obama to issue an executive order that addresses some aspects of the threat.

Obama has now gone further, announcing new diplomatic and trade initiatives aimed at deterring cyberthieves. But Congress needs to do more.

Obama’s executive order requires federal agencies to reveal more information to companies about the cyberthreats they detect. It also calls for the National Institute of Standards and Technology to develop a voluntary “framework of cyber-security practices” within a year, built around the performance standards chosen by private industry.

Notably, the framework wouldn’t specify which technologies companies should use to meet the standards, allowing the market and private innovation to meet new challenges posed by hackers.

The order is sensible and welcome, but it wouldn’t enable companies to send more of the information they gleaned from their networks about hackers to other companies or the government.

As helpful as that might be, Congress would first have to lift federal limits on data sharing and provide new privacy protections. Nor would the order prod companies to embrace the new cybersecurity framework by giving them more protection against liability in the case of a hack.

Only Congress can do that.


From an editorial in the Washington Post