The Heritage Foundation held an event this morning on cyber threats, with particular attention paid to House Intelligence Committee Chairman Mike Rogers’ bill, HR 3523 – the Cyber Intelligence Sharing and Protection Act of 2011.
Rogers discussed what spurred him and the ranking member of the House Intelligence Committee Dutch Ruppersberger to action, noting that “the amount of intellectual property we are losing to countries is breathtaking.” Aside from criminal actions that we’re familiar with, he went on, you have nation states spending millions in resources to infiltrate our networks, stealing IP that is the “very heart” of companies, then taking it back to their home country, commercializing it, and using it to compete against companies they stole it from. Rogers pointed to one case in which 10,000 manufacturing jobs were lost due to IP theft by China, noting that the country effectively has a national policy for this type of behavior.
The House Intelligence Committee went to companies to talk with them about these threats and how they could be mitigated. Rogers said many companies are reluctant to speak up about how their systems have been compromised, because they don’t want to invite more attacks on their systems. Hence the goal of this legislation is to beef up the private sector so it can protect its networks. We’re not forcing them to do anything, or telling them how to do it, Rogers said, we’re just providing them tools to help them out.
Rogers also discussed the bipartisan nature of the legislation, calling the bill a good first step in allowing private sector to protect their networks. “We’ve got Palo Alto and New York on the same bill,” he said, putting those parties together and agreeing on a way to move forward and get that information flowing. The bill doesn’t contain standards or mandates, focusing instead on information sharing by the government, and liability protections for companies in making use of such information, Rogers continued.
Rogers also highlighted how important a tool the NSA is, noting that the agency has immense resources and a great deal of critical information necessary to defend against the myriad threats in cyberspace. The private sector would be much more equipped to handle threat if NSA could share that threat data in a classified, secure manner, as this bill would allow.
In response to a question on providing training in addition to information, Rogers said that the first batch of classification orders will likely go to those who are best equipped to handle information and defend against these threats. That information can then be used as a “value-added” to help those who don’t have those same capabilities, in the form of services to those less equipped companies. This could stimulate competition among cybersecurity firms, Rogers observed, helping to bolster private sector defenses all around.
Michelle Richardson, Legislative Counsel for the ACLU, was skeptical that the legislation provides adequate safeguards for the protection of information and privacy, suggesting that much more rigorous standards are needed to ensure that civil liberties are not infringed. Gus Coldebella, a partner with Goodwin Proctor, pointed to the current disincentives for information sharing as a major obstacle to combating cyber threats. Coldebella said the protections for information and for companies contained within the legislation are solid and “diminish the disincentives to sharing.”
Towards the end of his remarks, Rogers echoed Dmitri Alperovitch’s statement that there are two types of companies – those who have been compromised and know it, and those that have been compromised and don’t know it, stressing the need for information sharing to help defend against threats that are increasing at a startling rate. Rogers expects a vote on his bill to take place in April.