The report today from the U.S.–China Economic and Security Review Commission is chilling but not terribly surprising. According to the commission (pages 243–44):
For about 18 minutes on April 8, 2010, China Telecom advertised erroneous network traffic routes that instructed U.S. and other foreign Internet traffic to travel through Chinese servers. Other servers around the world quickly adopted these paths, routing all traffic to about 15 percent of the Internet’s destinations through servers located in China. This incident affected traffic to and from U.S. government (“.gov”) and military (“.mil”) sites, including those for the Senate, the army, the navy, the marine corps, the air force, the office of secretary of Defense, the National Aeronautics and Space Administration, the Department of Commerce, the National Oceanic and Atmospheric Administration, and many others. Certain commercial websites were also affected, such as those for Dell, Yahoo!, Microsoft, and IBM.
Though nobody knows what happened to the data, this sort of access could allow Chinese surveillance of specific users or sites or disrupt a data transaction and prevent a user from establishing a connection with a site. According to the commission, “it could even allow a diversion of data to somewhere that the user did not intend [or] possibly allow a telecommunications firm to compromise the integrity of supposedly secure encrypted sessions.”
That’s powerful stuff. Naturally, the Chinese have denied the report in its entirety, saying that the report was “unacceptable” and based on groundless information. (One can only suppose that the “unacceptable” aspect of the report is that it reveals the Chinese activity for what it is.)
The incident simply reinforces the need for Congress to act on cyber security. The executive branch has been, appropriately, engaged in finding solutions to cyber security problems, but cyber security legislation is essential. Too much is happening by executive action without the input of our elected representatives.
We need to clarify the nature of the President’s authorities—how can and should the President be able to respond to an intrusion of the sort reported? We also need to determine where ultimate authority for cyber security operations should be housed within the federal government. It matters, profoundly, whether the Department of Homeland Security or the Department of Defense takes the operational lead for protecting America’s cybernet, and that decision warrants the input of Congress.
There are three bills pending in the Senate that address cyber security: One, authored by Senators Joe Lieberman (I–CT) and Susan Collins (R–ME) takes a security-oriented approach; another, authored by Senators John D. Rockefeller (D–WV), Olympia Snowe (R–ME), and Thomas Carper (D–DE), leans more heavily on the creation of mandatory standards for the private sector; a third, authored by Senators Kit Bond (R–MO) and Orrin Hatch (R–UT), looks to foster a public–private partnership through our national laboratories. Each of these approaches has something to offer. In the main, we should rely as much as possible on private sector incentives rather than regulation or federal control.
The reconciliation of these three approaches remains to be completed. It is too ambitious to hope that it will be done in this lame duck session of Congress. But it should be done in the coming year. If the next session of Congress does not produce a comprehensive, consensus bill, everyone should be disappointed.