Cyber Security Goes Prime Time

Last night's 60 Minutes piece on cyber security ("Sabotaging the System") led with the story that blackouts in Brazil in 2005 and 2007 were caused by computer hackers who took over the systems that control electrical generation facilities. This wasn't a revelation. A senior Defense Department official noted the Brazil attack in a barely noticed speech two years ago, and Wired magazine's "Threat Level" blog recently picked up the trail. Nor was the 60 Minutes story, six months in the making, full of major scoops.

But that hardly matters. Although the piece didn't make much news, it was news to most Americans. Full disclosure, I know the producer, Graham Messick, and while I don't have any special insights into how he approached the subject, I think it's fair to say that his work will change the cyber security debate in some fundamental ways.

For starters, millions of Americans now know that it's possible to plunge a city into darkness via the Internet. They know the strategic significance of such an attack to the United States, thanks to the cogent and succinct analysis of former intelligence chief Mike McConnell and Jim Lewis of the Center for Strategic and International Studies. They also know that cyber spies have pilfered many millions of dollars through online banking fraud, far more than traditional bank robbers. And they know that sensitive government information has been stolen by cyber spies, including some who managed to worm their way into the secret network used by military commanders in Iraq and Afghanistan. Again, all of this was known before last night, and it has been reported by journalists like me and others at major newspapers and cable networks. But 60 Minutes has a unique ability to condense information and deliver it to a mass audience in prime time. 

Recommended Reading

Politically, the piece will raise the heat on President Obama to name a cyber coordinator. That might come as a surprise, since the show conspicuously avoided the numerous criticisms of the president for not appointing that official yet. But we did see footage of Obama's speech in the East Room earlier this year, where he publicly confirmed that "cyber intruders have probed our electrical grid." (He also alluded to the Brazil attack without naming the country.) Those who say that Obama isn't moving quickly enough on what he called a premier national security issue can simply point to the president's own words, neatly packaged by CBS. They've got more ammunition now.

On the legislative side, electrical plant owners and operators of other critical infrastructures should take note: Rep. James Langevin (D-RI) is coming for you. Langevin has been one of the most outspoken cyber security advocates on the Hill, but he was portrayed last night as the leading voice. (His press office sent out a preview of his remarks in a press release Saturday, and indication that they planned to take full advantage of Langevin's prominence in the story.) He told 60 Minutes that the electrical utilities had "lied to Congress" about steps they were taking to close holes in their networks, the kind that hackers could exploit to cause a blackout in the United States. He ended up by saying that Congress needs to "change [the utilities'] motivation so that when we see a vulnerability like this we can require them to fix it." If Congress requires the electrical companies to fix their weaknesses, or to disclose them to the government, it will be a watershed moment in regulation. And it could set off a chain reaction whereby Congress requires other industries to disclose their network vulnerabilities to the government. This would be a game changer. Electrical generators aren't the only vulnerable systems. And for years now, law enforcement, security, and intelligence officials, all of whom have a stake in protecting the Internet, have complained that companies aren't more forthcoming about their weaknesses. The government has shown a lot of sympathy for industry's plight. They understand that companies have no interest in advertising their weaknesses to investors, shareholders, and would-be hackers. But Langevin's comments show that lawmakers' patience has worn thin. 60 Minutes chose to show footage of a rancorous hearing he chaired, where lawmakers excoriated electrical regulators for not taking promised actions. There are a number of bills pending in Congress that threaten to set requirements on companies to disclose the holes in their networks. Those bills just got a major push last night.  

All in all, while 60 Minutes didn't exactly blow the lid off anything last night, they have elevated the attention of this issue to new heights. That alters the political dynamics significantly.