Businesses say privacy and legal concerns prevent cybersecurity cooperation
WASHINGTON — Pervasive computer spying by the Chinese against the government and American companies is growing in volume and in damage, the chairman of the House Intelligence Committee said on Thursday.
“The technological leadership and national security of the United States is at risk because some of our most innovative ideas and sensitive information are being brazenly stolen by these cyber attacks,” committee chair Rep. Mike Rogers, R-Mich., said at a hearing on legislation to thwart computer attacks.
China prohibits cyber attacks and has done what it can to combat such activities in accordance with Chinese laws, Yuan Gao, a spokesperson at the Chinese embassy, told the Tribune-Review in response to Rogers' remarks.
“China is a major victim of hacker attacks and suffers from frequent attacks from abroad,” Yuan said, adding that “China would like to work with the U.S.” to combat such attacks.
Business leaders testified before the committee about the proposed Cyber Intelligence Sharing and Protection Act, which is aimed at thwarting computer attacks and better responding to them when they occur. Witnesses called for more legal protections and coordination with the government.
Antitrust laws and concerns about getting sued over sharing private information prohibit companies from working with the government and each other when they suspect computer crimes, said John Engler, a former Michigan governor who heads the Business Roundtable, an association of corporate CEOs.
“No one has a greater incentive to protect critical systems — or greater knowledge of how to do so — than the businesses that own and operate these critical systems,” Engler testified. “Cybersecurity threats are presenting risks to these systems that neither the public nor the private sector, acting unilaterally, can protect against.”
Businesses need a Facebook for sharing computer security threats because some companies are better than others at sharing information and protecting their systems, said Kevin Mandia, founding CEO of Mandiant, a computer security company.
He warned that rampant information stealing could quickly turn into something more dangerous.
“The access they have does not inhibit them from deleting and destroying things,” Mandia told members of the House Intelligence Committee. “They have had the access but not the will to do so.”
In “Cyber Rattling: The Next Threat,” a series of Trib stories on cybersecurity that began on Sunday, experts warned about a global war over information that could quickly escalate with destructive — perhaps deadly — computer attacks.
“Too often, companies that would like to share information about attacks are prevented or deterred from doing so because of a range of policy and legal barriers,” said Rogers, who blamed the Chinese for a “breathtaking” level of computer spying.
Rogers also cited the recent denial of service attacks on U.S. banks, which prevented some customers from accessing online accounts. He blamed Iran as the source of the attacks. Iran has denied responsibility.
Part of the problem for businesses is that they do not always know they're even under attack, Engler said.
“Sometimes these threats are developing from someplace outside the country or at a level where it's not even understood that somebody is under attack,” he said. “…There is no doubt in the business community that we have to have information from the intelligence community.”
While the proposed bill would improve information sharing, lawmakers need to fund better computer security research and to update the criminal code to address computer crimes, said Paul Smocer, president of BITS, the technology policy division of The Financial Services Roundtable, a banking and investment industry trade group.
“Cyber criminals are taking advantage of a global system, the Internet,” Smocer said. “They are expanding their capabilities and exploiting the inherent trust we all have in the World Wide Web to conduct malicious activity.”
Despite concerns about revealing sensitive private data, Smocer said companies mainly would share technical data about the nature and source of computer attacks. Under the proposed law, companies would be asked to report information about computer and national security threats, child pornography, dangers facing children and imminent attacks such as a murder plot.
Rep. C.A. “Dutch” Ruppersberger, D-Maryland, the ranking member on the House Intelligence Committee, said the government must act quickly. A similar computer security bill failed last year over business concerns about government overreach. That led President Obama this week to sign an executive order on cybersecurity that calls for a cooperative government-business effort to protect computer systems.
“Our government and private sector companies are under attack,” Ruppersberger said. “Nations are trying to steal our military and intelligence secrets, as well as our companies' most valuable trade secrets, threatening U.S. profits and American jobs.”
Staff Writer Lou Kilzer contributed to this report. Andrew Conte is a reporter for Total Trib Media. He can be reached at 412-320-7835 or firstname.lastname@example.org.