U.S. Cybersecurity Policy in Context

In light a recent executive order and spate of cyber attacks, we take a look back at past cyber attacks and what our government has done to fortify both the public and private sectors against hackers foreign and domestic.

A look back at past cyber attacks and what our government has done to fortify both the public and private sectors against hackers foreign and domestic. (BigStock Photo)

You can also read this article at Science Progress, CAP’s online science and technology journal, here.

President Barack Obama signed a long-rumored executive order and presidential directive on Tuesday aimed at strengthening the cybersecurity of critical infrastructure.

America’s enemies are “seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems … and swipe our corporate secrets,” President Obama said on Tuesday night during his State of the Union address. Indeed, Secretary of Defense Leon Panetta once used the term, “cyber-Pearl Harbor” to describe the looming threat we face.

These threats to both digital and physical infrastructure could not be more real. In 2007 the Department of Homeland Security demonstrated that hackers could take over a 5,000 diesel engine—the kind routinely used as backup generators in our power grid—and, using nothing but computer code, caused the machine to destroy itself. Using a similar technique, U.S. intelligence officials allegedly used a computer virus dubbed “Stuxnet” to sabotage more than 1,000 uranium enrichment centrifuges in Iran in 2010.

Unfortunately, the government’s past responses to these new and developing threats have been piecemeal and lacking in coordination. In the timeline below we outline the major policy initiatives that led us to yesterday’s executive order, and the cyber attack incidents that spurred them.

Yesterday’s actions are designed to accomplish two goals:

Better collaboration between government and industry in response to cyber threats, such as the one that reportedly compromised email account information at The New York Times on January 31.
Better coordination within government to create robust cyber protections, in order to patch vulnerabilities such as the ones found in a recent governemnt audit of the Federal Communications Commission’s cyber infrastructure.

Specifically, the order and the directive implement a voluntary program for companies working in sectors that involve critical infrastructure, such as power grids, pipelines, or transportation operations, creates new information sharing programs under the Department of Homeland Security, clarifies the role of various federal agencies in pursuing cyber resiliency, and tasks the National Institute of Standards and Technology with designing and implementing a framework to reduce long-term cyber risks.

This comes amidst a new and more aggressive stance by the Pentagon to weaponize cyberspace, and similarly proactive stance that is evolving from private sector actors.

In some ways, cyberspace is like the Wild West of our time—dangerous, difficult to police, and still largely unexplored. What is certain is that yesterday’s executive order will not be the end of this story. It is likely only the beginning.

Andrea Peterson is the Social Media and Analytics Editor at the Center for American Progress. Sean Pool is the Managing Editor of Science Progress. Jason Thomas contributed to the research for this timeline.

The positions of American Progress, and our policy experts, are independent, and the findings and conclusions presented are those of American Progress alone. A full list of supporters is available here. American Progress would like to acknowledge the many generous supporters who make our work possible.