Feds roll out cyber plan as Hill vows legislation
Declaring that America is losing an aggressive cyber-espionage campaign waged from China, administration officials and lawmakers on Wednesday agreed to push legislation that would make it easier for the government and industry to share information about who is getting hacked and what to do about it.
They say this new partnership, codified by law and buoyed by President Barack Obama's new executive order, is critical to keeping countries like China, Russia and even Iran from rummaging in American computer networks and targeting proprietary data they can use to wreak havoc or compete against U.S. businesses.
The pledge from legislators and Obama's top security aides already has special interest groups scrambling to influence the outcome, which remains uncertain in a bitterly divided Congress focused on other high-priority issues like immigration and gun control.
"Until Congress acts, President Obama will be fighting to defend this country with one hand tied behind his back," said Senate Majority Leader Harry Reid, D-Nev., who promised Wednesday to advance a bipartisan proposal "as soon as possible."
On Tuesday, Obama signed an executive order that relies heavily on participation from U.S. industry in creating new voluntary standards for protecting information. The order also expands the government's effort to share threat data with companies.
But officials warned that the order doesn't do enough to address the threat they say could paralyze U.S. commerce. At issue is the legal liability facing companies if they divulge information, and whether companies should be compelled to meet certain security standards.
"The government is often unaware of malicious activity targeting our critical infrastructure," said Gen. Keith Alexander, head of the National Security Agency and U.S. Cyber Command.
"These blind spots prevent us from being in a position of helping critical infrastructure defend itself and it prevents us from knowing when we need to defend the nation," Alexander told industry and government officials Wednesday at the Commerce Department.
In the House, Reps. Mike Rogers, R-Mich., and Dutch Ruppersberger, D-Md., both on the Intelligence Committee, have revived their pro-industry legislation that would keep secret any information a company shares with the government. It also would shield businesses from anti-trust litigation if they share threat data with their competitors.
But privacy advocates who helped bring about a veto threat of the legislation last year said the legislation still unfairly gives the secretive NSA a central role in collecting data from the private sector.
Rogers and Ruppersberger say their bill would only allow companies to share technical data, like an IP address, and that the NSA is in the best position to understand the information because of its role in chasing foreign-based hackers.
"We are in a cyber war. Most Americans don't know it ... and at this point, we're losing," said Rogers.
Last year's Senate bill was considered more balanced by privacy advocates because it gave a more central role to the Homeland Security Department. But that legislation, pushed by Sens. Susan Collins, R-Maine, and Joe Lieberman, I-Conn., tanked after the U.S. Chamber of Commerce said the bill's system of setting up industry standards would strangle businesses with unnecessary regulation. Sen. Jay Rockefeller, D-W.Va., chairman of the Commerce Committee, is expected to take on the effort this year now that Lieberman has retired and Collins is no longer the ranking Republican on the Homeland Security panel.
Congress has been struggling for more than three years to reach a consensus on cybersecurity legislation. Given that failure and the escalating risks to critical systems, Obama turned to the order as a stopgap measure with the hope that lawmakers will be able to pass a bill this year.
Liz Gasster, a vice president at the Business Roundtable, which represents CEOs at such corporations as Target and Coca-Cola, said companies probably aren't going to alert federal officials after being hacked - then turn around and share that information with their competitors - "until companies are given sufficient liability and anti-trust protections." Those protections would have to be codified by Congress.
Gasster and other industry representatives say business leaders know the cyberthreat is real and it would be in their favor to work closely with the federal government to prevent the next big attack, or at least deal with it more effectively.
"To them, it gets to the core of their business - their profitability," Gasster said of the CEOs she represents.
Follow Anne Flaherty on Twitter at https://twitter.com/AnneKFlaherty