SCHUMER: UPSTATE POWER GRIDS, BANK DATABASES & TELECOMMUNICATION NETWORK SYSTEMS ARE BEING PUT AT UNNECESSARY RISK; NEW FED PLAN WILL LIMIT USE OF KEY SECURITY SOFTWARE; 9 IN 10 CRITICAL INFRASTRUCTURE PROVIDERS WERE ATTACKED LAST YEAR; SCHUMER URGES FEDS TO SCRAP PLAN THAT WOULD CURTAIL ABILITY TO PROTECT NY’S CRITICAL INFRASTRUCTURE FROM HACKERS
Schumer Says New Fed Rule Inhibits Upstate NY’s Electrical Power Grid Companies, Banks, &Telecommunication Companies From Testing Their Security Network Vulnerabilities, Meant To Help Prevent Dangerous Cyberattacks
For Example, Fed Rules Will Stymie Power Grid Companies’ Ability to Know If They Are Actually Secure Or Critically Vulnerable; Between 2013-2014, Power And Utility Companies Saw A 500% Increase in Attacks
Schumer To Feds: If You Install A Lock On Your Door, You Must Be Able To Check It To Make Sure It Works
Today, on a conference call with reporters, U.S. Senator Charles E. Schumer said a new Commerce Department plan will negatively impact power utility companies’, banks’, and telecommunication companies’ ability to protect themselves from cyberattacks. Schumer said that Commerce Department officials recently promulgated a new rule that would inhibit the development of new security software and restrict a company’s ability to use software that helps it test its firewall strength and find network vulnerabilities. For example, Schumer said these types of “fire drill” and self-assessment safety programs help power and utility companies mitigate the chances of a blackout due to a cyberattack by diagnosing weak points in their cybersecurity before hackers can exploit them. Schumer highlighted that cyberattacks are more and more common across the country. From 2013 to 2014, there was a 500 percent increase in cyberattacks, which is why Schumer is urging the Commerce Department to immediately suspend and rework any plan that could jeopardize Upstate New York’s critical online infrastructure.
“From North Korea to Russia to ISIL to domestic hackers, cybersecurity threats to our power grids, banks, and private consumer information is under assault like never before, so our companies must have the ability to install and test the best defenses. Unfortunately, when it comes to self-testing, a new federal rule is forcing companies and power utilities to fight the scourge of cyberattacks with one hand tied behind their backs,” said Senator Schumer. “The federal government must instead work arm-in-arm with potential hacking targets to beat back the tide of cyberattacks. So I am urging the Department of Commerce to go back to the drawing board on this proposal and find ways to keep critical software out of the hands of would-be evil-doers while giving our companies the leeway they need to protect themselves and the information of millions of New Yorkers.”
“USTelecom shares the concerns expressed by Senator Charles Schumer (D-NY) about Commerce Department proposed rules implementing the Wassenaar Arrangement, which could significantly hamper cybersecurity and information sharing between industry and government. As outlined in comments USTelecom submitted July 20, the rules, while well-intentioned, are too broad and would limit the telecommunication industry’s ability to protect its networks against intrusions by hackers, cyber-criminals, terrorists, and nation-states. While we acknowledge the department’s need to implement the Wassenaar Arrangement, such implementation should not come at the expense of continued development of robust and responsive cybersecurity,” said Walter B. McCormick, Jr., President and CEO of USTelecom.
“The Commerce Department's new rule must be reevaluated. It has the potential to inhibit the current manner in which critical financial institutions protect their vital systems,” said Doug Johnson, Senior Vice President of American Bankers Association.
“We support Senator Schumer’s call to reexamine the implementing rule for the Wassenaar Arrangement. While well-intentioned, the proposed rules could hinder the ability of U.S. companies to respond to every changing cyber threats by constructing unnecessary bureaucratic hurdles. There is broad government acknowledgement of the need for speed and flexibility within the private sector to address cybersecurity. We acknowledge that the Department needs to move forward with implementation of the Wassenaar Arrangement; however, such implementation should not be at the expense of cybersecurity,” said Jot Carpenter, Vice President of Government Affairs at CTIA - The Wireless Association.
“We protect the security of our facilities, data, and cyber system as an absolute priority,” said Keri Glitch, Vice President for Security at Iberdrola USA, the parent company of NYSEG and RG&E. “We would be concerned about any rule that might affect our ability to assess and maintain the security of our cyber assets.”
According to New York Attorney General Eric Schneiderman’s office, private and public institutions in New York were hit by an unprecedented 900 data breaches exposing personal and financial information just last year. Between 2006 and 2013, 22.8 million personal records of New Yorkers were exposed in nearly 5,000 data breaches, with many victims unaware. These cyberattacks cost the state an estimated $1.37 billion. Schumer said that because the online networks used by power utility companies, banks and telecommunication companies, hospitals, insurance companies and more protect a considerably high amount of our personal information, the spate of cyberattacks in recent years is particularly alarming. Last year alone, one third of New York residents fell victim to a data breach of some sort.
Schumer said that while these online networks increase convenience, save consumers money and help companies run their operations smoothly, they also make institutions such as banks, telecommunications companies and utility companies vulnerable to cyberattacks. In the event of a data breach, hackers could steal personal information or disrupt critical infrastructure like banking systems or power grids. Schumer said it could be a disastrous situation if, for example, a hacker were to gain access to a power grid and have the ability to cause a regional blackout with just the click of a button. For this reason, many of companies have taken steps to guard against cyberattacks by purchasing and implementing software that tests their firewalls and networks to ensure they are protected. This software is often designed to attempt to penetrate an online network so companies can identify their own vulnerabilities and areas for improvement when it comes to securing sensitive information and guarding against a cyberattack. Schumer explained these kinds of programs are critical for power utility companies, banks and telecommunication companies and more to perform periodic “fire drills” to test their own networks to see if they are actually protected.
However, Schumer explained, there is a proposal by the Commerce Department’s Bureau of Industry and Security (BIS) that would limit access to this software. Schumer said that while this proposed rule aims to keep penetrative software out of the hands of hackers and foreign governments that might wish to breach the data of unknowing victims, it was written in such broad terms that it could limit the ability of U.S. companies to access this kind of technology in order to protect itself. In fact, Schumer explained, these rules would delay companies’ access to critical software. Under the BIS proposed rules, companies would in many instances need to apply for a license to run security tests to gauge the strength of their firewalls. In addition, companies would need permission to share information with foreign employees, which could prove difficult for U.S. companies that have branches overseas or companies that have foreign nationals working for them. Schumer said this rule would also inhibit the development of important cyberprotection tools as well as the ability of companies to test, and therefore protect, their own networks.
Schumer is urging BIS to rewrite this rule in a way that does not interfere with the federal government’s ability to help develop the most advanced security tools or negatively impact U.S. companies’ ability to take advantage of those tools in order to protect themselves. Schumer said this proposal should keep powerful hacking software out of the hands of those who would do harm to American companies without inhibiting the ability of legitimate businesses to protect their own security in a timely and effective manner.
Schumer pointed to recent high-profile attacks against companies like Target, JP Morgan Stanley and SONY to show how cyberattacks are becoming more common across the country and impacting both companies that span numerous industries and consumers of every geographical region, background and financial standing. According to USA Today, in a 2014 study, 43 percent of companies had at least one data breach; this is up 10 percent from the previous year. In addition, 27 percent of these companies said they did not have data breach response systems in place in case of a breach, along with 68 percent that said they felt unprepared to respond to such a cyberattack. Finally, more than 77 percent of companies said more fire drills and access to this kind of self-testing technology would help them practice data breach responses and assess their areas of weakness.
In December 2013, BIS proposed making a number of changes to the Wassenaar Arrangement, a multi-nation cyber accord intended to place limits on dual-use technologies. The Wassenaar Arrangement is not considered official international law or a binding treaty, rather it relies on participating states implementing its recommendations. In May of this year, in response to the proliferation of cyberattacks, BIS proposed changes that placed limits on surveillance exports so oppressive foreign governments would not be able to access powerful technology that could be used for malicious purposes. However, this proposal included vague language that could repress the global development of security software and prevent U.S. companies from using software technology that allow them to conduct tests of their own cyber networks. Since hackers have no incentive to abide by the Wassenaar Arrangement, domestic companies would be put at a major disadvantage unless the proposed changes are rewritten to allow greater flexibility for technology usage. Schumer said that he is in favor of keeping sensitive technology out of the hands of oppressive foreign governments and cyber hackers, but American companies must be able to conduct cyber defense tests without any hindrances.
A copy of Senator Schumer’s letter to the Undersecretary of Commerce for Industry and Security appears below:
Dear Under Secretary Hirschhorn,
I write today to express concerns about the Bureau of Industry and Security’s (BIS) proposal to implement the 2013 Wassenaar controls related to intrusive software. The goals of the proposal are laudable, and I share them: the proposal is intended to limit access to powerful surveillance tools by oppressive foreign regimes and agents. Unfortunately, I believe the proposal as drafted is vague and overbroad, and may inhibit the development of important cyberprotection tools, as well as limiting the ability of US companies to protect their own networks.
Cyberattacks launched at US companies are at unprecedented levels. Some breaches are widely visible – such as the hacks of OPM and Sony. But many more go unnoticed and unreported, creating vulnerabilities for private businesses and critical infrastructure. In this climate, it is incumbent on the federal government to help businesses protect themselves. Specifically, the government must facilitate the collaborative development of the most advanced security tools, and allow US companies to take advantage of those tools to protect themselves. I am concerned that the BIS proposal, as originally drafted, will interfere with those objectives by prohibiting international collaboration and imposing overbroad licensing requirements, especially for the use of penetration testing software.
A loud chorus of cybersecurity experts and businesses have sounded the alarm about the current BIS proposal, and I encourage you to work with these stakeholders to revise it. The ultimate proposal should keep powerful software out of the hands of those who would do us harm without interfering with the ability of legitimate businesses to protect their own security in a timely and effective manner.
Sincerely,
Charles E. Schumer
United States Senator
###