Pressure Builds for Congressional Action on Cybersecurity
Just a month ago, we focused on a new executive order aimed at strengthening U.S. cyber defenses, increasing information sharing, and developing standards to protect national security, jobs, and privacy. Before the ink was dry on President Barack Obama’s signature, the White House was calling on Congress to act as well to give our government a greater capacity to secure our networks and deter attacks. In the past week or so, we’ve seen a great deal of discussion in Washington about cybersecurity -- most aimed at getting Congress to act on the issue.
How big a problem are we talking about? In a word, gigantic. A January 2013 report from the Department of Defense found that “a few smart people, in a few days, using tools available to everyone” can significantly disrupt military operations. The report prompted the Washington Post editorial board to call for “an informed, robust debate about policy in this expanding realm.” “We ought not wait until a disaster has arrived to address the policy implications of cyberwar,” the Post concludes.
The Office of Management and Budget released a report to Congress on federal cybersecurity efforts and compliance with the 2002 Federal Information Security Management Act. Computer security costs have increased by more than $1 billion. The Department of Homeland Security(DHS) runs a national clearinghouse of cyberthreat information known as the U.S. Computer Emergency Readiness Team (US-CERT). Part of its job is to track cyberincidents, which DHS defines as violations of an organization’s security policy. That could include unauthorized attempts to access a network, denial of service attacks, or other unwanted behavior. In 2007, US-CERT received almost 12,000 cyberincident reports. That number had more than doubled by 2009 and quadrupled by 2012.
Although how organizations count cyberincidents varies greatly, here’s some numbers reported recently:
- The energy company BP says it suffers 50,000 attempts of cyberintrusion a day.
- The Pentagon reports getting 10 million attempts a day.
- The National Nuclear Security Administration, an arm of the Energy Department, also records 10 million hacks a day.
- The United Kingdom reports 120,000 cyberincidents a day.
- The state of Michigan fends off 187,000 cyberattacks a day.
- Utah says it faces 20 million attempts a day -- up from 1 million a day two years ago.
The executive order calls for a review of existing cybersecurity regulation and establishes a voluntary program to promote the adoption of a Cybersecurity Framework developed by the National Institute of Standards and Technology, an agency of the U.S. Department of Commerce, in collaboration with critical infrastructure stakeholders. NIST, we know, has started visiting businesses to rally support for the framework. But what the order really amounts to is a starting gun on the renewed push by the White House to get a new cybersecurity bill through Congress this year.
On March 7, the Senate Commerce Committee and Homeland Security and Governmental Affairs Committee held a joint hearing to examine the development and implementation of the order and explore the need for comprehensive legislation to strengthen our nation’s cybersecurity. Department of Homeland Security Secretary Janet Napolitano testified that a "suite" of legislation was needed that would 1) incorporate privacy and civil liberties; 2) create information sharing standards; 3) provide additional tools to fight cybercrime; 4) create a data breach reporting requirement; and 5) give DHS hiring authority equivalent to the National Security Agency. She also said the Administration is considering offering a "seal of approval" to companies who join the Homeland Security-led program and a "procurement preferences acquisition" process as possible incentives.
This week, Tom Donilon, the President's national security adviser, urged China to stop hackers from breaking into U.S. computer systems and stealing business secrets. Donilon left no doubt the White House is shifting to a more aggressive stance – including demands for the investigation of cyberespionage cases conducted against U.S. business. Donilon for the first time laid out specific expectations that, if not met, could result in the unspecified U.S. action – which in the past has been interpreted as leaving open the options not only for an offensive cyberattack, but for sanctions or even a military response – depending on the severity of the cyberintrusions. “We seek three things from the Chinese side,” Donilon said. “First, we need a recognition of the urgency and scope of this problem and the risk it poses – to international trade, to the reputation of Chinese industry, and to our overall relations. Second, Beijing should take serious steps to investigate and put a stop to these activities. Finally, we need China to engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace.” He said cybersecurity is becoming a "growing challenge" to the economic relationship between the United States and China. Later in the week, President Obama promised that the U.S. would have “tough talk” with China over cyber espionage. China, on March 12, said it was willing "on the basis of the principles of mutual respect and mutual trust" to discuss the issue. During a March 14 call congratulating newly-elected Chinese President Xi Jinping, President Barack Obama stressed the “importance of addressing cyber-security threats, which represent a shared challenge.”
The Pentagon’s Cyber Command will create 13 offensive teams by the fall of 2015 to help defend the nation against major computer attacks from abroad, Gen. Keith Alexander testified to Congress on March 12, a rare acknowledgment of the military’s ability to use cyberweapons. Alexander said the 13 teams would defend against destructive attacks. “I would like to be clear that this team, this defend-the-nation team, is not a defensive team,” Gen. Keith Alexander, who runs both the National Security Agency and the new Cyber Command, told the House Armed Services Committee. “This is an offensive team that the Defense Department would use to defend the nation if it were attacked in cyberspace. Thirteen of the teams that we’re creating are for that mission alone.” Twenty-seven other teams would support commands such as the Pacific Command and the Central Command as they plan offensive cyber capabilities. Separate teams would focus on protecting the Defense Department’s computer networks. He said the first third of the forces, which officials have said will total several thousand civilians and uniformed personnel, will be in place by September and the second third a year later. Some teams are already in place, Alexander said, to focus on “the most serious threats,” which he did not identify.
But he warned that budget cuts and uncertainty will undermine the effort to build up these forces. About 25 percent of the Cyber Command’s budget is being held up by congressional wrangling over the fiscal 2013 budget, he said. And across-the-board cuts that took effect March 1 are forcing civilian furloughs. “By singling out the civilian workforce, we’ve done a great disservice,” said Alexander, noting that one-third of the command workforce is made up of Air Force civilians. He said some cybersecurity recruits have taken a salary cut to work for the government, only to be faced with a furlough. “That’s the wrong message to send people we want to stay in the military acting in these career fields.” He urged Congress to pass legislation to enable the private sector to share computer threat data with the government without fear of being sued.
Democrats and Republicans at the hearing praised U.S. Cyber Command for its development so far, but lawmakers appeared eager for the Defense Department to move more quickly on hiring experts and drafting rules of engagement in cyberspace. The senators expressed deep frustrations with the stream of cyberattacks originating out of China. Lawmakers acknowledged the difficulties in recruiting talent — and previously, key defense leaders sounded those alarms in a critical statement submitted with the 2013 defense authorization bill the President signed in January.
On the same day as Donilon’s speech, Commerce Department officials stressed that Congress needs to pass cybersecurity legislation that incentivizes companies to boost the security of their computer systems and networks, adding that the executive branch cannot grant that power. "Tax incentives, liability protections— those are things that the President can't wave a magic wand and make happen," said Ari Schwartz, senior policy advisor to the Secretary of Commerce. "Congress needs to pass those things."
Testifying before the Senate Intelligence Committee, Director of National Intelligence James Clapper said that cyberattacks are the leading security threat facing the United States. At the committee’s annual hearing on worldwide threats, Clapper said on behalf of himself, FBI Director Robert Mueller, CIA Director John Brennan and National Counterterrorism Center Director Matthew Olsen, “Our statement this year leads with cyber, and it’s hard to overemphasize its significance. Increasingly state and non-state actors are gaining and using cyber expertise. These capabilities put all sectors of our country at risk, from government and private networks to critical infrastructures. We see indications that some terrorist organizations are interested in developing offensive cyber capabilities, and as cyber criminals are using a growing black market to sell cyber tools that fall into the hands of state and non-state actors.” “From a national security perspective, I very much hope that the Congress will move forward with legislation,” said Brennan.
Intelligence Committee Chairman Dianne Feinstein (D-CA) said she is planning to start working on an information-sharing cybersecurity bill with Sen. Saxby Chambliss (R-GA), the committee’s ranking minority member, in the coming months. At a separate Senate Armed Services Committee hearing on the same day, Sen. Lindsey Graham (R-SC) said he was working with Sen. Sheldon Whitehouse (D-RI) on a measure that would allow industry leaders to develop a set of cybersecurity best practices, granting certain companies that operate critical infrastructure liability protection if they follow those guidelines.
At that Armed Services Committee hearing, lawmakers tussled over the role of the federal government in guarding against threats. Army Gen. Keith Alexander, head of the U.S. Cyber Command, acknowledged that the Obama Administration is debating internally how to proceed when U.S. companies are under cyberattack. "The issue that we're weighing is: When does a nuisance become a real problem and when are you prepared to step in for that?" he said. "That's the work that I think the Administration is going through right now and highlighting that." Lawmakers acknowledged they can't agree on legislative measures to bolster protections for computer networks.
In much-reported visits with Members of Congress this week, President Obama has included in his list of priorities, White House press secretary Jay Carney revealed, the need for Congress to take action on cybersecurity. President Obama and his top security advisers also met with chief executives from 13 companies in the White House Situation Room to talk about how the government and private sector could improve U.S. cyber security, including the need for legislation. White House officials said the meeting was designed as a “two-way” information exchange. Aides said President Obama wanted to hear directly from industry leaders about how vulnerable their companies were to computer attacks. The President also wanted to discuss efforts the government is taking to address threats. The corporate leaders from the defense, technology, energy and banking industries told the President they agreed cyberattacks are a top security threat but that they were looking for a "light touch" from the government in response to the risk. "Flexibility is important, because this is the kind of threat that changes very quickly," said Honeywell International's David Cote. The meeting also included Randall Stephenson of AT&T, Wes Bush of Northrop Grumman, Rex Tillerson of Exxon Mobil , Jamie Dimon of JPMorgan Chase & Co, Brian Moynihan of Bank of America, and Nicholas Akins of American Electric Power Co.
Testifying before the House Homeland Security Committee, Anish Bhimani, chief information risk officer of JPMorgan Chase (and speaking on behalf of the Financial Services Information Sharing and Analysis Center), and Gary Hayes, chief information officer of CenterPoint Energy, called on Congress to pass legislation that would increase the flow of data shared between the government and industry about cyber threats. Bhimani said “we need to know what's going on and what's affecting us” and that companies need to receive data from the government about online threats in a timely manner so they can thwart cyberattacks in real time. Hays said cybersecurity legislation needs to be flexible enough so it can apply to both small and large businesses.
In an interview aired March 13, the President said that billions of dollars are lost when industrial secrets are stolen online. And he said that some of the attacks on the nation’s private and public computer networks are sponsored by foreign governments. He said that the government is limited in what it can do to confront China and other sponsors of computer attacks. And he said the government needs the authority to require that critical infrastructure in the country is hardened against such attacks. “There are ways that we can harden our critical infrastructure, our financial sector,” President Obama said. “And the only thing that’s holding us back from doing that right now is we haven’t gotten the legislative authority out of Congress. They need to get this done.”
The house seems most likely to act on the Cyber Intelligence and Sharing Protection Act (CISPA or HR 624), a bill sponsored by House Intelligence Committee leadership. But privacy and civil liberties groups have opposed the bill. Michelle Richardson, legislative counsel at the American Civil Liberties Union, told the House Committee on Homeland Security this week that information sharing legislation needs to give a civilian agency the lead role and also minimize the collation of personal information from companies. "There are ways to conduct information-sharing that builds in some of the privacy protections needed to protect this very sensitive data," she said. Critics of the bill -- which is meant to facilitate the sharing of cyber information between the public and private sectors -- believe its definitions are far too broad. Vast amounts of user information could fall into the category of “cyber threat information” and wind up in the wrong hands, the legislation’s opponents have argued.
Recently, a We The People petition crossed the 100,000-signature threshold required for an official response. The Obama Administration will now have to weigh in sooner rather than later on the contentious bill. Last year, the White House threatened to veto CISPA. It passed through the House anyway, but the Senate never passed a cybersecurity bill. Sponsors reintroduced CISPA this year with no changes in the language, so the White House likely still has objections to it. That puts the House on a collision course with President Obama. Either he will have to give up the veto threat, or the bill will have to be modified somehow before it reaches his desk.
In the Washington Post, TechCrunch writer Gregory Ferenstein wonders where is the Internet's outrage over CISPA. He says CISPA would give the government broad new powers to collect personal data from telecommunication and social network companies, often without warrant. Provisions in CISPA give legal immunity to companies, including those in social media and search, for sharing information with authorities and also helps them combat malicious hackers. So, unlike the power to shut down Web sites, intrusive surveillance doesn’t represent an existential threat to the Web. "Given CISPA’s legal benefits to private companies such as Google and Facebook, it’s easier to see why the corporate pillars of the Internet haven’t jumped on the outrage bandwagon," he writes. He's looking for companies that opposed last year's Stop Online Piracy Act (SOPA) to stand up again. He sees the Internet's "almost parental protection of information and innovation" but wonders if privacy is seen as nice to have, but not essential. "The Internet community will only rise up when they feel threatened. Their inaction is sending the message, whether intended or not, that privacy is not a priority," Ferenstein concludes.
We’ll continue to track this debate and the progress of both CISPA and the Cybersecurity and American Cyber Competitiveness Act which remains the major cybersecurity bill in the Senate. In the meantime, we’ll see you in the Headlines.