By CNN Sr. National Security Producer Pam Benson
Legislation introduced in the House Intelligence Committee on Wednesday is designed to knock down the barriers that interfere with the federal government and the private sector sharing critical information about cybersecurity threats.
The bill would enable the intelligence community to share classified information with the private sector while at the same time addressing the concerns private companies have with providing information about attacks on their systems to the government.
Communication between the two sides has been problematic and difficult. The government has limited the amount of information it provides private industry about cyberattacks for fear of compromising secrets.
And private industry is often reluctant to report attacks against it. Sean Noonan, a tactical analyst for Stratfor, said business considerations often factor into a company's decision to reveal a cyber intrusion. "If it goes public, they've seen in the past that it could hurt them, hurt their business more and more," Noonan said.
He also noted the privacy issues that arise when the government is involved in defense against cyberattacks.
House Intelligence Committee Chairman Mike Rogers, who unveiled the bipartisan bill, said there is a cyber war going on now that threatens the economic prosperity of America.
"The best thing we can do is to remove the barriers that make it hard for industry to share information and defend themselves, and provide government information in support of those efforts," Rogers said.
Rep. Dutch Ruppersberger, the top Democrat on the committee, framed the debate in more dire terms: "We will have a catastrophic (cyber) attack within the next year. Whether it's attacking a banking system, a grid system, this is going to happen and we have to make sure we're going to protect ourselves."
The new legislation tasks the director of national intelligence with establishing procedures and guidelines for the intelligence community to share cyber threat information with private companies and Internet service providers who have or are eligible for security clearances.
The proposal builds upon a program administered by the Pentagon that enables the National Security Agency to provide classified information on cyber threats to service providers for a limited number of defense companies.
Cyber expert James Lewis said the Defense Industrial Base pilot program has been effective, "in fact, I've been told it may be one of the most effective things we've managed to do in the last 10 years. There's a precedent here."
The House Intelligence Committee bill also would give legal protections to private companies that provide threat information to other approved companies and the federal government.
That data would be exempt from regulatory action and Freedom of Information Act public disclosures.
But the legislation does not require the private sector to share cyber threat information with the government.
Lewis, who is the director of the Technology and Public Policy Program at the Center for Strategic and International Studies, said that's a gamble. "We need to remove the legal impediments, but whether the next step follows automatically, that the companies do what needs to be done without any further encouragement, it's a test."
Rogers said the bill would create an environment in which companies will want to cooperate. "The incentive is they are going to get access to information that will protect their systems," he said. "It is much easier to stop a threat if you know what to look for. ... It is in their interest to cooperate. This costs them millions and millions of dollars."
Industry representatives called the initiative a critical first step.
"It would knock down policy and legal barriers that have limited the healthy sharing of cyber threat information between and among elements of the public and private sectors," said Bruce Josten of the U.S. Chamber of Commerce.
USTelecom President Walter McCormick said the legislation makes it possible for companies to better address cybersecurity attacks by sharing information in a way this protected and in real partnership.
IBM Vice President Christopher Padilla said the bill "provides a solid framework," but added, "We believe that more information sharing from government to industry has immense value, but information sharing from industry to government and to other entities is also valuable and we look forward to seeing how this develops."
Some companies might have a reluctance to share information with federal agencies because of the ill effects left over from the controversial warrantless surveillance program. Following the 9/11 terrorist attacks, President George W. Bush authorized the National Security Agency to monitor phone calls, Internet activity and other communications without a court warrant and with the cooperation of some US telecommunciations firms as part of the so-called war on terror. That program has been challenged in court.
James Lewis said companies and the civil liberties community have been haunted by that experience.
"Civil libertarians say, 'How can we trust you when you say you'll do the right thing?' And the companies say, 'You asked us to help out before and we got in a lot of trouble,'" Lewis said.
Rogers rejected that argument. "The bill has nothing to do with government surveillance," he said. "Our bill does not require anyone to provide information to the government. Any sharing of information with the government is completely voluntary every step of the way."
The legislation comes on the heels of a U.S. intelligence community report on the growing threat posed by the international theft of U.S. economic and technology information, both in the public and the private sector.
The national counterintelligence executive report released earlier this month cited Russia and China as being the top offenders in stealing U.S. intellectual property.
Rogers has said China's cyberattacks against the United States had reached "an intolerable level" and were harming U.S. national security.