WASHINGTON - Maine's two U.S. senators are calling for strong cyber-security legislation in the wake of the latest data breach affecting at least four million federal workers.
But at least one Internet technology expert says that, even if lawmakers decide to take action, preventing a cyber attack is easier said than done.
Republican Sen. Susan Collins and independent Sen. Angus King are both members of the Senate Intelligence Committee and they are both urging Congress to take action and pass a cyber-security law.
Collins says the attack on the government personnel office has all the hallmarks of a sophisticated attack, most likely by hackers based in China. "This is a real indictment of the lack of computer security that we have with civilian agencies' computers," Collins says.
She also referenced the numerous breaches that have occurred in the private sector, such as the one that compromised the retailer Target early last year. Collins says she's been pushing for a computer security bill since 2011. She points out that the Senate Intelligence Committee reported out a bill several months ago that she says needs to be brought to the Senate floor.
What most concerns her, she says, is a possible attack on what she calls America's critical infrastructure: "our electric grid, our water plants, our air traffic control system, our financial system - that could cause absolute devastation for our country."
Sen. King, meanwhile, issued a statement renewing his calls for Congress to take action. His comments echo remarks he made on the Senate floor earlier this year in response to a data breach at health insurer Anthem, which affected more than half-a-million Mainers. "What is it going to take, Mr. President, for this body, for this Congress, for this city, to act to protect us against these threats?" King said.
If Congress does agree to pass legislation, what might that legislation look like? It's a question I put to cyber-security expert Edward Sihler, from the University of Southern Maine. "Well, to a certain extent it's very difficult. OK, there are already laws about illegal access or inappropriate access to systems, so we could increase those," he says.
Another option, says Sihler, may be to make international cyber-security crime an extraditable offense. "And, at that point, you would want to get in treaties, so if we had proof this actor took these actions, that we could extradite them and get them here."
But Sihler says it's difficult to imagine a piece of legislation that could have prevented this latest breach. "Murder is illegal. It still happens."
As for the crafting of anti-hacking legislation, Sihler says that promises to be a challenging and an interesting process. "It will also be interesting to see how much of it is in the public eye, because Congress can go into closed session for some of this, and that may not be in the best interest."
According to a study released last year, cyber-crime is costing the global economy an estimated $400 billion or more annually, and threatens more than 200,000 jobs in the U.S. alone. Financial institutions are being hit especially hard.
Data breaches have also had a significant impact on credit unions, says John Murphy. He's president of the Maine Credit Union League. "We looked 2013-14, and Maine's credit unions have re-issued in the neighborhood of 400,000 to 500,000 ATM debit cards, and we estimate the total cost, including fraud, in the neighborhood of $2.5 million."
Murphy says what's needed is legislation that puts more onus on the businesses that are breached. "The folks that are responsible for not taking proper care of consumers' data ought to be responsible for absorbing the costs associated with fraud and re-issuing the cards."
Those entrusted with confidential consumer data, he says, should be called to account if that data are stolen.