• The Heritage Network
    • Resize:
    • A
    • A
    • A
  • Donate
  • Congress Needs to Act on Cyber Security-but Act Responsibly

    The report today from the U.S.–China Economic and Security Review Commission is chilling but not terribly surprising. According to the commission (pages 243–44):

    For about 18 minutes on April 8, 2010, China Telecom advertised erroneous network traffic routes that instructed U.S. and other foreign Internet traffic to travel through Chinese servers. Other servers around the world quickly adopted these paths, routing all traffic to about 15 percent of the Internet’s destinations through servers located in China. This incident affected traffic to and from U.S. government (“.gov”) and military (“.mil”) sites, including those for the Senate, the army, the navy, the marine corps, the air force, the office of secretary of Defense, the National Aeronautics and Space Administration, the Department of Commerce, the National Oceanic and Atmospheric Administration, and many others. Certain commercial websites were also affected, such as those for Dell, Yahoo!, Microsoft, and IBM.

    Though nobody knows what happened to the data, this sort of access could allow Chinese surveillance of specific users or sites or disrupt a data transaction and prevent a user from establishing a connection with a site. According to the commission, “it could even allow a diversion of data to somewhere that the user did not intend [or] possibly allow a telecommunications firm to compromise the integrity of supposedly secure encrypted sessions.”

    That’s powerful stuff. Naturally, the Chinese have denied the report in its entirety, saying that the report was “unacceptable” and based on groundless information. (One can only suppose that the “unacceptable” aspect of the report is that it reveals the Chinese activity for what it is.)

    The incident simply reinforces the need for Congress to act on cyber security. The executive branch has been, appropriately, engaged in finding solutions to cyber security problems, but cyber security legislation is essential. Too much is happening by executive action without the input of our elected representatives.

    We need to clarify the nature of the President’s authorities—how can and should the President be able to respond to an intrusion of the sort reported? We also need to determine where ultimate authority for cyber security operations should be housed within the federal government. It matters, profoundly, whether the Department of Homeland Security or the Department of Defense takes the operational lead for protecting America’s cybernet, and that decision warrants the input of Congress.

    There are three bills pending in the Senate that address cyber security: One, authored by Senators Joe Lieberman (I–CT) and Susan Collins (R–ME) takes a security-oriented approach; another, authored by Senators John D. Rockefeller (D–WV), Olympia Snowe (R–ME), and Thomas Carper (D–DE), leans more heavily on the creation of mandatory standards for the private sector; a third, authored by Senators Kit Bond (R–MO) and Orrin Hatch (R–UT), looks to foster a public–private partnership through our national laboratories. Each of these approaches has something to offer. In the main, we should rely as much as possible on private sector incentives rather than regulation or federal control.

    The reconciliation of these three approaches remains to be completed. It is too ambitious to hope that it will be done in this lame duck session of Congress. But it should be done in the coming year. If the next session of Congress does not produce a comprehensive, consensus bill, everyone should be disappointed.

    Posted in Security [slideshow_deploy]

    One Response to Congress Needs to Act on Cyber Security-but Act Responsibly

    1. blinded1 says:

      If China Telecom is the hijacker, then it is definitely the most stupid hijacker in the world. It is like that one hijacked a car and parked it on the driveway in front of his house. Anyone who hijacked 15% of world's Internet traffic can expect it would not be detected? If McAfee, which prepared the report, is not run by a bunch of idiots, it must be a participant of the plot trying to frame China, a now easy target. It also makes me wonder who are really behind many accusations of China cyber warfare/hack activities. Those who are shouting the loudest are most likely the true culprits.

    Comments are subject to approval and moderation. We remind everyone that The Heritage Foundation promotes a civil society where ideas and debate flourish. Please be respectful of each other and the subjects of any criticism. While we may not always agree on policy, we should all agree that being appropriately informed is everyone's intention visiting this site. Profanity, lewdness, personal attacks, and other forms of incivility will not be tolerated. Please keep your thoughts brief and avoid ALL CAPS. While we respect your first amendment rights, we are obligated to our readers to maintain these standards. Thanks for joining the conversation.

    Big Government Is NOT the Answer

    Your tax dollars are being spent on programs that we really don't need.

    I Agree I Disagree ×

    Get Heritage In Your Inbox — FREE!

    Heritage Foundation e-mails keep you updated on the ongoing policy battles in Washington and around the country.