Hackers defaced Crayola’s Facebook page last week with some offensive and off-color posts that no parent would want children to see. Separately, intruders managed to hijack the YouTube and Twitter accounts of U.S. Central Command, posting videos and documents to taunt the military. Both cyberattacks were symbolic annoyances rather than real threats; neither caused damage to national security or corporate data. But they are nonetheless symbolism worthy of attention — a warning of the deep and continuing crisis in cybersecurity.
The good news is that President Obama and the new Congress have been talking sense about taking action in recent days. The impact of the wholesale looting and destruction of data from Sony Pictures Entertainment, which the United States has attributed to agents of North Korea, has clearly sunk in. After two successive congressional sessions deadlocked on the issue, it was encouraging to see the chairmen and ranking minority members of the homeland security and intelligence committees in both houses expressing a desire last week to move on cybersecurity legislation. Obama said in his meeting with congressional leadership last week that “this is an area where we can work hard together and get some legislation done.”
But this task is going to take more than good vibes. Cyberattackers are outrunning defenses, and the Sony Pictures disaster underscores how vulnerable the private sector has become. The president has offered a legislative proposal to encourage the sharing of information about threats between the vulnerable private sector and the U.S. government, and to offer companies some targeted liability protection. House and Senate efforts last year also revolved around this kind of information-sharing. Although we have endorsed such legislation, it is not a magic bullet to end the wave of thefts, intrusions and cyberespionage. Even if Congress had acted, it’s not clear it would have prevented the Sony hack.
Legislation is a start and still a worthy goal. As a practical matter, however, before any legislation can pass Congress, persistent worries about privacy protection — which led to the defeat of previous bills — have to be debated and addressed. There is a vast gulf of distrust of government, especially following the Edward Snowden revelations about the National Security Agency’s data collection. Yet as the president said last week, “Neither government nor the private sector can defend the nation alone.” They have to work together.
What’s really needed now is a harder edge to thinking about how to prevent another hack like that of Sony Pictures. What if the next onslaught wipes out the computers and switches off lights in a major metropolitan hospital or transit system? This analysis needs to find new ideas and methods for creating effective defenses against cyberattacks. It has to come not only from Congress and the White House but also, dare we say, from the U.S. military and intelligence agencies, and from all institutions and facets of society that have grown so heavily dependent on digital highways.