3 Texans in Congress take lead roles on cybersecurity issues

March 2, 2015
In The News

WASHINGTON — Recent high-profile Internet attacks on companies such as Sony and the insurance giant Anthem have made cybersecurity policy a bipartisan priority in Congress.

But unlike many issues that lawmakers tackle, the problem isn’t overhauling current policy — it’s plotting a new course through largely uncharted territory. Three Texas Republicans have been charged with considering everything from how to respond to attacks sponsored by a foreign government to who would face legal liability for damage caused by a computer attack.

“It’s all very cutting edge, kind of a new frontier. A wild West if you will,” said Rep. Michael McCaul of Austin. “It has not been addressed by Congress, and it needs to be.”

McCaul, along with freshman Reps. Will Hurd of San Antonio and John Ratcliffe of Heath, will head committees or subcommittees related to cybersecurity during the 114th Congress. Their task is first to simply identify the most pressing needs on the topic.

“The biggest issue is refining what the problem is and putting together how do we address that problem, and how do we establish a flexible framework that evolves with the evolving threat,” Hurd said.

Private-sector leaders are growing impatient for Congress to act. Even though it’s often illegal, some companies have launched their own retaliatory attacks against cyber-criminals because “the federal government is not taking care of it,” McCaul said.

“Companies aren’t always going to sit back and take it. They’re going to respond, and not ask for permission but beg for forgiveness,” he said.

The issue is particularly important to Texas, the lawmakers said, because of its robust technology industry.

The capabilities of cyber-criminals have escalated beyond identity theft or credit card fraud. Rogue states and “hacktivists” threaten critical infrastructure such as power grids and water supplies as well as any other system that uses the Internet.

“There have been significant events, but there are far worse scenarios that could happen to us … where you’re really talking about people’s lives immediately at risk,” Ratcliffe said.

Hurd asked what would happen, for instance, if cyber-criminals hacked into a wireless network for medical devices.

“You tap that network, you alter someone’s insulin shots, boom. You kill a lot of people,” he said.

And the U.S. has yet to grapple with the appropriate response for attacks, said Hurd, a former CIA agent.

“If North Korea launched a missile into San Francisco Bay, the North Koreans and the American people know how we would respond,” Hurd said. “But what’s a digital-on-digital attack? And what are the appropriate responses?”

In his State of the Union address last month, President Barack Obama called for more comprehensive cybersecurity policies.

The White House laid out three policy priorities: to promote information-sharing between government and the private sector, bolster cyber tools for law enforcement, and establish a national standard for consumer notification after security breaches.

Hurd, McCaul and Ratcliffe agree that those areas need to be addressed, with information-sharing as the top priority.

Although systems for doing so already exist, companies are often hesitant to use them for fear that reporting a security breach will expose them to lawsuits, or federal agencies will use the shared data to surveil their customers.

The best remedy for that, Ratcliffe said, is to codify liability protections for companies that share information with the government, shielding them from legal repercussions. No other cyber legislation will get off the ground without such protections, he said.

“Right now, all of this is only still in theory because those liability protections are not in place,” Ratcliffe said. “That is the overriding priority and goal of what I’ll be doing in this role. And our success will be defined on whether or not we accomplish that.”

Privacy advocates argue that liability protections are just a way to throw powerful corporations a bone and make it easier for companies to be reckless with the personal data of their customers.

McCaul said that liability protections were a sticking point for Democrats in the previous Congress. But since the president has now expressed support for them, McCaul hopes to have more “leverage” to include liability protections in legislation this time around.

“These companies are not going to be willing to participate ... unless you give them that assurance that they won’t be held liable for doing that,” McCaul said.

But some cybersecurity advocates question whether information-sharing ought to top Congress’ to-do list.

Larry Clinton, president and chief executive of the Internet Security Alliance, a trade association and advocacy group, said that the push for better information sharing is “being vastly overemphasized in the current conversation in Congress.”

“Information-sharing ... needs to be understood as a good tool to have in the toolbox, but not really a game changer,” Clinton said.

Clinton would rather see Congress focus on raising the public’s overall level of cybersecurity literacy, and empowering law enforcement to catch more cyber criminals.

Ratcliffe, who recently held his subcommittee’s first hearing, said he hopes that the recent attacks have generated enough momentum to get the ball rolling.

“I hope it doesn’t take something more, frankly, compelling,” Ratcliffe said. “Because something more compelling is necessarily something more disastrous.”