The House passed a new cybersecurity bill on Thursday, and the accompanying report emphasizes what many corporate and government experts know only too well.
A number of advanced nation-state actors are actively engaged in a series of wide-ranging, aggressive efforts to penetrate American computer systems and networks and these efforts are targeted not only at sensitive national security and infrastructure information but are also often aimed at stealing corporate research and development information that forms the very lifeblood of the American economy.
The report called it nothing less than pillage.
The other day, Michael P. DeCesare, co-president of the security firm McAfee, a subsidiary of Intel, reminded us of the destructive assault last year on the Saudi national oil company Aramco, which wiped out some 30,000 work stations and servers. It was carried out by malware known as Shamoon, of unknown origin.
Meanwhile, he estimated that one in 10 personal computers is unwittingly roped in to botnets that carry out surreptitious cyberattacks, and he shares the concern, voiced last year by then-Defense Secretary Leon Panetta, about our vulnerability to a major cyberattack.
With all this urgency in the air, there is a real need for the government, which has the sophisticated tools and expertise, to team up with the private sector, where the majority of vulnerable networks exist. But such information sharing requires a basis in law.
Congress deadlocked over legislation in the last session. On Feb. 12, President Obama issued an executive order, a stopgap attempt to begin doing something to meet the threat. The new Congress must do better.
The House moved off the dime quickly with a 288-127 vote to approve the Cyber Intelligence Sharing and Protection Act, a modified version of a bill passed last year to authorize government-industry cooperation on a voluntary basis. Despite efforts to strengthen privacy measures, the bill has been criticized by civil liberties advocates and Obama has threatened to veto it.
The House bill is a start, but there is more to be done.
Last year, we favored a more muscular approach to cybersecurity provided in Senate legislation, which imposed mandatory standards on industry for data sharing. The legislation died in the Senate, not least because of stiff opposition from the U.S. Chamber of Commerce, which raised the specter of more government regulation.
The new chairman of the Senate Commerce, Science and Transportation Committee, John D. Jay Rockefeller IV, D-W.Va., has pledged to move ahead on cybersecurity, including on the key issue of information sharing. But political support for the mandatory approach seems to be ebbing and may not be included in the Senate legislation now being drafted.
If discarded, some other mechanism – perhaps some kind of incentive – will be necessary to ensure that robust private sector cooperation becomes a reality, not just a promise. Privacy and liability issues need to be hammered out, too.
DeCesare mentioned that a major American automaker was chagrined to find the designs for a new car – proprietary plans that it thought was secure from cybertheft – recently turned up in another country. This is going on every day. Congress ought not to dally.