Cybersecurity experts agree that sharing information about threats is one of the best ways to beat hackers and keep computer networks safe.
That’s the idea behind legislation in Congress designed to remove legal obstacles to cooperation between government cybersecurity operations and those in private industry.
But the legislation has been stalled for years, primarily over concerns about whether that cooperation would leave the personal information of Americans vulnerable to government spying, a concern that has become worse since National Security Agency leaker Edward Snowden revealed that his organization was doing just that.
As the threat continues to grow, advocates for the legislation are mounting a lobbying effort to address those concerns and get it to President Obama’s desk. Others say even more steps are needed to protect the nation’s critical networks from hackers, many of whom are acting on behalf of foreign adversaries.
“We are at war in the digital world. And yet, because this war lacks attention-grabbing explosions and body bags, the American people remain largely unaware of the danger. That needs to change. Only public attention can create the political momentum for needed reform,” Tom Kean and Lee Hamilton, former co-chairmen of the commission that investigated the Sept. 11, 2001, terrorist attacks, wrote in a September op-ed for the Wall Street Journal.
The two called the pending legislation “an important first step” but went further, suggesting that Congress create a national commission to coordinate cyber strategy and a national clearinghouse for coordinating responses to cyberattacks modeled on the National Counterterrorism Center.
Debate over cybersecurity got a jolt Nov. 20 when NSA chief Adm. Michael Rogers confirmed publicly for the first time that China and at least one other country are capable of hacking into critical infrastructure such as the electric power grid or water systems, potentially causing “catastrophic failures” that could kill Americans or damage property.
The disclosure prompted House Intelligence Committee Chairman Rep. Mike Rogers, R-Mich., to note: “The NSA is not on American domestic networks, but the Russians, the Chinese, the Iranians and multiple other bad actors are.”
It also came on the heels of a report issued by the Senate Armed Services Committee detailing how Chinese hackers have penetrated the computer networks of contractors critical to moving U.S. troops and equipment around the world in time of crisis, potentially giving Beijing access to every move the military makes.
Another cyberattack on Wall Street firms over the summer was believed to have been carried out by Russian hackers.
Officials are concerned about potential alliances between criminal hackers, who usually carry out identity thefts and other attacks for profit, and foreign governments.
The latest effort to counter such attacks was a bill the House passed in July that would allow the government and private industry to share information about cyber vulnerabilities and better defend against cyberattacks. But a companion bill has stalled in the Senate, largely over privacy concerns, and is unlikely to get a vote in the 113th Congress.
The fate of that cybersecurity legislation was closely tied to a bill reining in NSA surveillance programs, a bill which died after failing a key Senate test vote Nov. 18.
“I have tried to get this bill on the floor and so far have not had success, until communities like yourselves take a good look at it, agree with it, come forward and say do it, and do it now,” outgoing Senate Intelligence Committee Chairwoman Sen. Dianne Feinstein, D-Calif., the bill’s sponsor, told the U.S. Chamber of Commerce last month.
“The stakes are too big to let this languish any longer.”
But languish is exactly what the issue is likely to do until the next Congress can start over with new legislation when it convenes in January.
“I think there’s an understandable unease about lots more information going to the NSA,” said Jim Halpert, a lawyer who specializes in data protection, privacy and security issues.
But there is also a greater risk to privacy from cyberattacks than from surveillance, which is why it’s so important to reach agreement on what information can be shared, he said.
“It’s only by sharing information and collaborating that the defenders can hope to keep up with the attackers,” Halpert said. “Most Americans are much more concerned about identity theft than they are about the sharing of their IP information for cybersecurity purposes.”
