Cybersecurity bill could let companies trade info on hackers
April 18, 2015 Updated: April 18, 2015 5:00pm
WASHINGTON — Reports of hackers entering White House computers and ongoing intrusions into government and private networks are triggering urgent efforts in Congress to bolster cyber defenses.
The legislation is of special interest in San Antonio, a major and growing cybersecurity center that includes the Air Force Cyber Command and one of the largest National Security Agency operations outside of Fort Meade, Maryland.In an unusual display of bipartisanship, cybersecurity legislation written and engineered by Texans that removes barriers to sharing threat information was introduced and passed unanimously by the House Homeland Security Committee in a single day last week. The bill could pass the full U.S. House as earlier as this week.
The city employs between 7,000 and 10,000 cybersecurity workers in government installations and between 2,000 and 3,000 in private companies, said John Dickson, a partner in the Denim Group, a San Antonio-based cybersecurity company, and chairman of the San Antonio Chamber of Commerce’s committee on cybersecurity.
Differences between the House and Senate over privacy protections in the bill need to be resolved. Sponsors also must overcome objections from civil liberties advocates, who worry about spying on innocent people and Internet “militarization” from authoritizaion given companies to deploy countermeasures if hacked.
But in a Congress known for perennial gridlock, sponsors believe concerns by Republican and Democrats alike will lead to passage this year of cyber-defense legislation
Rep. Michael McCaul, R-Austin, chairman of the Homeland Security Committee and chief architect of the legislation, said he has been working with the White House - a rarity in Washington these days.
“This bill is one of the few legislative efforts on the Hill right now that, quite frankly, is bipartisan,” he said.
McCaul pointed to the efforts of two first-term Texas Republicans, John Ratcliffe, of Heath, and Will Hurd, of San Antonio, for their help in advancing the cyber-defense plan.
Dickson said the new legislation “looks to be promising.”
“It reflects how important this is to the United States right now,” he said. “It is a central issue that is being discussed in Congress. Ten years ago, it was something in the back office for IT guys to worry about.”
In his view, Dickson said, nation-states engaged in hacking pose the most significant threat.
“Individual hackers versus Bank of America is a fair fight. But if it’s Russia, it’s not a fair fight,” he said.
Grants of immunity
The cornerstone of the legislation is broad immunity for companies willing to voluntarily share information about perceived threats. Companies could pass on malicious codes and what the legislation refers to as “cyber threat indicators” between one another and to an obscure government entity called the National Cybersecurity and Communications Integration Center.
The center, housed in Homeland Security, is an around-the-clock watchdog charged with protecting against intrusions and responding when they occur.
Liability is a long-standing concern of companies striving to prevent release of customers’ personal identifiable information. The threat of accidental release of information — compounded by leaks from National Security Agency whistleblower Edward Snowden — concerns industries that fear disclosing vulnerability.
The legislation says companies must make “reasonable” efforts to remove information unrelated to a perceived network attack before passing along the information.
In an effort to mollify critics, the Republican-led committee accepted an amendment barring surveillance by the government based on information received from companies. But critics remain, among them the Electronic Frontier Foundation, a nonprofit that promotes civil liberties related to the Internet.
Mark Jaycox, an analyst with the San Francisco-based group, said he has seen marginal improvements in privacy protection by Congress. But he said he worries about vague wording throughout the legislation and authorization for companies to deploy “defense measures” against hacks.
If an intrusion detection system detects suspicious activity, the legislation authorizes action to prevent suspected hacks as long as they are not destructive or cause “substantial harm.”
Jaycox called such grants of authority “a slippery slope…We don’t need the private sector with aggressive new authorities to launch attacks against someone else’s computers,” he said.
Spate of attacks
In the end, fear may outweigh concern about civil liberties.
In a chilling report last week, the Government Accountability Office — the investigative arm of Congress — concluded that hackers could potentially take control of commercial aircraft using the Wi-Fi networks made available by airlines.
Before calling for a vote, McCaul asserted that “American computers are under siege.”
He noted disclosure this month that hackers had obtained non-classified but sensitive information from the White House, including the president’s unpublicized schedule.
McCaul spelled out a litany of “significant intrusions at Target, Neiman Marcus, Home Depot and JP Morgan — all of which were designed to steal the personal information of private citizens.”
“But the most malicious threat is a major cyber attack that shuts down the power grid, cuts off the water supply or disrupts our gas pipelines,” he said.
In an interview, McCaul said Iran has demonstrated capacity to strike American financial centers and confessed his worry about "the rising threat of cyber jihadists."
“The genie is out of the bottle and people have access to this technology,” he said, referring to intrusion techniques.
Hurd, the San Antonio freshman who worked at the CIA and in a cybersecurity business, said he funneled information to the bill’s authors after talking with San Antonio companies and others about their needs.
He tacked on an amendment requiring the government to reach out to smaller companies with anti-hacking information gleaned in the new arrangements.
“When you talk about digital defense, you have to begin with the presumption of breach,” Hurd said. “The continuing threat is sophisticated and highly capitalized, and the skill set required to do these things has gotten broader.”