Cyber security bill promotes sharing of threat data
November 30th, 2011
10:14 AM ET

Cyber security bill promotes sharing of threat data

By CNN Sr. National Security Producer Pam Benson

Legislation introduced in the House Intelligence Committee on Wednesday is designed to knock down the barriers that interfere with the federal government and the private sector sharing critical information about cybersecurity threats.

The bill would enable the intelligence community to share classified information with the private sector while at the same time addressing the concerns private companies have with providing information about attacks on their systems to the government.

Communication between the two sides has been problematic and difficult. The government has limited the amount of information it provides private industry about cyberattacks for fear of compromising secrets.

And private industry is often reluctant to report attacks against it. Sean Noonan, a tactical analyst for Stratfor, said business considerations often factor into a company's decision to reveal a cyber intrusion. "If it goes public, they've seen in the past that it could hurt them, hurt their business more and more," Noonan said.

He also noted the privacy issues that arise when the government is involved in defense against cyberattacks.

House Intelligence Committee Chairman Mike Rogers, who unveiled the bipartisan bill, said there is a cyber war going on now that threatens the economic prosperity of America.

"The best thing we can do is to remove the barriers that make it hard for industry to share information and defend themselves, and provide government information in support of those efforts," Rogers said.

Rep. Dutch Ruppersberger, the top Democrat on the committee, framed the debate in more dire terms: "We will have a catastrophic (cyber) attack within the next year. Whether it's attacking a banking system, a grid system, this is going to happen and we have to make sure we're going to protect ourselves."

The new legislation tasks the director of national intelligence with establishing procedures and guidelines for the intelligence community to share cyber threat information with private companies and Internet service providers who have or are eligible for security clearances.

The proposal builds upon a program administered by the Pentagon that enables the National Security Agency to provide classified information on cyber threats to service providers for a limited number of defense companies.

Cyber expert James Lewis said the Defense Industrial Base pilot program has been effective, "in fact, I've been told it may be one of the most effective things we've managed to do in the last 10 years. There's a precedent here."

The House Intelligence Committee bill also would give legal protections to private companies that provide threat information to other approved companies and the federal government.

That data would be exempt from regulatory action and Freedom of Information Act public disclosures.

But the legislation does not require the private sector to share cyber threat information with the government.

Lewis, who is the director of the Technology and Public Policy Program at the Center for Strategic and International Studies, said that's a gamble. "We need to remove the legal impediments, but whether the next step follows automatically, that the companies do what needs to be done without any further encouragement, it's a test."

Rogers said the bill would create an environment in which companies will want to cooperate. "The incentive is they are going to get access to information that will protect their systems," he said. "It is much easier to stop a threat if you know what to look for. ... It is in their interest to cooperate. This costs them millions and millions of dollars."

Industry representatives called the initiative a critical first step.

"It would knock down policy and legal barriers that have limited the healthy sharing of cyber threat information between and among elements of the public and private sectors," said Bruce Josten of the U.S. Chamber of Commerce.

USTelecom President Walter McCormick said the legislation makes it possible for companies to better address cybersecurity attacks by sharing information in a way this protected and in real partnership.

IBM Vice President Christopher Padilla said the bill "provides a solid framework," but added, "We believe that more information sharing from government to industry has immense value, but information sharing from industry to government and to other entities is also valuable and we look forward to seeing how this develops."

Some companies might have a reluctance to share information with federal agencies because of the ill effects left over from the controversial warrantless surveillance program. Following the 9/11 terrorist attacks, President George W. Bush authorized the National Security Agency to monitor phone calls, Internet activity and other communications without a court warrant and with the cooperation of some US telecommunciations firms as part of the so-called war on terror. That program has been challenged in court.

James Lewis said companies and the civil liberties community have been haunted by that experience.

"Civil libertarians say, 'How can we trust you when you say you'll do the right thing?' And the companies say, 'You asked us to help out before and we got in a lot of trouble,'" Lewis said.

Rogers rejected that argument. "The bill has nothing to do with government surveillance," he said. "Our bill does not require anyone to provide information to the government. Any sharing of information with the government is completely voluntary every step of the way."

The legislation comes on the heels of a U.S. intelligence community report on the growing threat posed by the international theft of U.S. economic and technology information, both in the public and the private sector.

The national counterintelligence executive report released earlier this month cited Russia and China as being the top offenders in stealing U.S. intellectual property.

Rogers has said China's cyberattacks against the United States had reached "an intolerable level" and were harming U.S. national security.

Post by:
Filed under: Congress • Cybersecurity • Intelligence
soundoff (15 Responses)
  1. Neal Creighton

    Cyber intelligence at the global and site-specific levels is the single most important defense mechanism public and private sectors need to protect themselves against advanced threats. This new proposed legislation is an important step in building out the global intelligence layer. However, it’s critical that enterprise organizations do not wait for such proposals to become reality before taking action to defend their own IT environments. Today’s most sophisticated cyber threats can easily circumvent even the most advanced security solutions on the market. Organizations must learn to approach network security in a completely different way – monitoring, gathering and acting on real-time intelligence to help them take control of the attack, while it’s still happening.

    Neal Creighton
    CounterTack
    http://www.CounterTack.com

    December 1, 2011 at 10:16 pm | Reply
    • Yasmin

      On Monday, November 29, 2010 ESG Analyst Jon Oltsik published a prroet that looks at the critical infrastructure vulnerabilities in the US, which we have made available here. a0Jon has also recently written a blog which highlights some of the key findings, which you can read here.

      March 2, 2012 at 11:15 pm | Reply
  2. CoJo

    this would be perfect task for the government to sink its teeth into. Like the early NASA initiative, enlist private companies. Yes that would mean spending taxes on this initiative. Think how NASA provided such inovation. The US could be the premier cyber country in the world, being able to protect itself from countries like china, russia, romania, etc. and the advances that probably would come out of it that could be used in other ways.

    November 30, 2011 at 3:31 pm | Reply
  3. coriolana

    Oh seriously! These morons wouldn't know how to share a cookie recipe!

    November 30, 2011 at 12:34 pm | Reply

Post a comment


 

CNN welcomes a lively and courteous discussion as long as you follow the Rules of Conduct set forth in our Terms of Service. Comments are not pre-screened before they post. You agree that anything you post may be used, along with your name and profile picture, in accordance with our Privacy Policy and the license you have granted pursuant to our Terms of Service.