Report to lawmakers: Pay more attention to cybersecurity

Congress should become involved in more issues related to cybercrime and cyberterrorism, including changing threats, methods to measure their effects and incentives for improving cybersecurity, in an effort to increase the urgency to address them, according to a Congressional Research Service report. Cybercrime is becoming more organized and established as a profit-making and transnational business. The increased use of automated cyberattack tools has overwhelmed some methods for tracking cyberattacks, and the United States' critical infrastructure is openly acknowledged as vulnerable to attack, which could affect national security and the economy, said Clay Wilson, a specialist in technology and national security at the research service for members and committees of Congress. In March, researchers at Idaho National Labs conducted a test to demonstrate the results of simulated cyberattack on a power network. In a video released by the Homeland Security Department, the labs showed how a power generator turbine is forced to overheat and shut down after receiving malicious commands from a hacker. The federal government has taken steps to improve its computer security through requirements mandated by the Federal Information Security Management Act and initiatives DHS oversees. Even so, security has been a low priority at some agencies, Wilson said in the Nov. 15 report. The Government Accountability Office has highlighted that no overall strategy exists to coordinate activities to improve computer security across federal agencies and the private sector, which owns the critical infrastructure. “Ultimately, reducing the threat to national security from cybercrime depends on a strong commitment by government and the private sector to follow best management practices that help improve computer security,” Wilson said. Numerous government reports already exist that make recommendations for management practices to improve cybersecurity. Congress should also address approaches to improve the security of commercial software products, increase security education and awareness for business and home PC users and explore approaches for industry and government to coordinate to protect against cyberattack, Wilson said. Attacks against computers may disrupt equipment and hardware reliability, change processing logic, or steal or corrupt data. Botnets are popular because they can disrupt systems in various ways, and malicious users can rent botnet services from a botnet designer, Wilson said. Bot networks are made up of vast numbers of compromised computers, which have been infected with malicious code and can be remotely controlled through commands sent online. Working in concert, the hundreds or thousands of infected computers disrupt or block Internet traffic for targeted victims; collect data; or distribute spam, viruses and other malicious code. Botnets and other malicious code make it easier for cybercriminals to commit identity theft, which currently costs businesses and consumers $50 billion annually, according to FBI estimates. Nation-states, such as China, extremists and terrorists have numerous options for obtaining malicious technical services to achieve their objectives. For example, in April distributed denial-of-service attacks repeatedly shut down government Web sites in Estonia during a period of weeks. It remains unclear whether the Russian government sanctioned or initiated the attacks by transnational cybercriminals. Congress is considering several cybersecurity bills: