In late-September, Sen. Joe Lieberman detailed a significant and sustained Iranian attack on U.S. banks in retaliation for the Stuxnet virus, which the U.S. all but admitted had been used to attack Iran's nuclear program. In October, Rep. Mike Rogers, chairman of the House Permanent Select Committee on Intelligence, spoke circumspectly about a new cyberthreat from an “unusual source.” Then, on Oct. 11, Secretary of Defense Leon Panetta warned of America’s unpreparedness for a major cyberattack, raising the specter of a cyber Pearl Harbor.
The message was clear: The United States is engaged in a cyber conflict. Alarmingly, however, the U.S. private sector lacks an adequate approach to defending itself against such cyberattacks, in large part because Washington has yet to prepare a firm legal foundation for doing so.
This is not for lack of trying. Members of Congress spent much of 2012 arguing about three different legislative models for cybersecurity. Lieberman led a group promoting a regulatory model, but critics argued that the proposed regulatory process was extraordinarily burdensome and convoluted, and would undermine the speed of decision-making and implementation needed for private firms to fight fast-changing cyber threats.