WASHINGTON -- If businesses don't put in place stronger cybersecurity defenses, Congress might do it for them.
That's the warning from Rep. Gerry Connolly (D-Va.), a prominent voice in Congress on IT issues, who cautions if the firms that oversee critical infrastructure such as the electric grid are hit with a catastrophic cyberattack, lawmakers could be compelled to impose new regulations that could rankle the industry.
"I will tell you this: In the event of a cyber Pearl Harbor, the public will demand that Congress regulate, and standards will be imposed and there'll be no getting around that," Connolly said in remarks at a recent meeting of the Cloud Computing Advisory Caucus, which he co-chairs. "And if we want to avoid that, we've got to try to encourage [the] private sector to set very high standards that they voluntarily agree to try to meet."
Connolly's warning is not directed only at industry, however.
Better cybersecurity standards needed in all sectors
Government agencies, too, must make strides to shore up their IT defenses, an issue that was put into sharp relief by the recently disclosed breach of the Office of Personnel Management (OPM), which compromised the personal information of millions of current and former government employees -- including Connolly, who says that on three occasions criminals have attempted to open fraudulent accounts in his name.
"There is some progress, but the OPM breach really exposed us for the vulnerabilities we have," Connolly says of that attack. "It is not surprising that somebody who saw the vulnerability and exploited it, and so 22-plus million folks who served in the federal government, applied for federal jobs, had a security clearance, left federal service and returned have had their personal information hacked."
Connolly laments that too many government systems -- including OPM's -- fall into the realm of legacy IT, which not only carries considerable maintenance costs, but is also more difficult to secure against a stream of ever-evolving threats.
It is often difficult to determine the culprit in a cyber incident, but in the case of the OPM breach, Connolly points to the Chinese People's Liberation Army as the likely agent, saying that state-sponsored attacks are now "elevated to a major foreign policy concern."
Connolly notes Chinese President Xi Jinping's recent visit to Washington, which produced a bilateral economic framework that included certain cybersecurity commitments, including the pledge not to support the theft of intellectual property or trade secrets.
Like many in Congress, however, Connolly takes a somewhat skeptical view of the potential impact of that accord.
"We'll see if it takes," he says. "But I can only tell you from a foreign policy perspective this is going to become more and more central in our relations with a number of other [nations] -- North Korea, Iran, Russia and, of course, China."
Sign up for CIO Asia eNewsletters.