The Hill: Government must encourage cyber threat information sharing to combat hacking
Originally printed in The Hill, March 9. 2015.
In such uncertain times, Americans are justifiably seeking safety and security. That extends to their lives in cyberspace, where threats are poorly understood and growing.
Our job in Washington is to work together to develop common-sense policies to enhance the economic and national security of America. As chairman of the Senate Homeland Security and Governmental Affairs Committee, I made that my committee’s mission. Security needs from national and border security to securing the homeland within our borders are all-important priorities for my committee.
Cyberattacks, in particular, remain one of the leading threats. Two years ago, then-head of the U.S. Cyber Command Gen. Keith Alexander described cyber thefts from private and public organizations as “the greatest transfer of wealth in human history.” That remains true, and the threat is growing and evolving,
Today, nation-state actors and criminal organizations engage in cyberattacks with unprecedented frequency and sophistication. As FBI director James Comey said, “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese, and those who don’t know they’ve been hacked by the Chinese.” Cyberattacks cost U.S. businesses approximately $100 billion annually, and some — such as attacks on the industrial control systems that operate our critical infrastructure — can put Americans’ lives at risk.
Recent attacks such as those on the Department of Defense, the Office of Personnel Management, Anthem, Sony Pictures, Target, Home Depot and JP Morgan Chase have raised awareness of the cyber threats we face. Americans are demanding real cybersecurity, and Congress has an important role to play in facilitating, not dictating, this security.
One important way Congress can help is by enabling information sharing within the private sector and through the government. Companies must be able to share indicators of compromise and vulnerabilities to improve coordination of our nation’s defense against cyberattacks as quickly as possible.
To induce the private sector to share appropriate information, Congress must provide sufficient liability protections. If businesses face civil or criminal penalties for sharing cyber threat indicators, they will be reluctant to share.
We also must ensure that the government will not use information a company shares as a means to regulate the company. The fear of backdoor regulations will also prevent widespread sharing. We need to hear from the general counsels for businesses of all sizes: Will proposals Congress develops provide your company with the needed assurances to share information?
Not only will facilitating information sharing help us prevent cyberattacks in the future, but also it will help us reach the bad actors who truly put Americans’ privacy at risk. I believe we can find common ground by balancing the need to share information and the need to protect people’s privacy. The worst thing we could do for Americans’ privacy is not taking action on cybersecurity at all.
Securing consumer data and notifying consumers upon a data breach is another important step. Notification allows consumers to take action to secure their data and defend themselves against fraud. But this, too, requires a balance.
Today 47 states, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands have enacted laws requiring notification of security breaches involving personal information. Since many businesses operate across state lines, they are forced to navigate through this patchwork of state laws before notifying consumers.
Because each law is different, consumers in different states have different rights when a data breach occurs. This creates confusion and uncertainty for both small and midsize businesses and for consumers.
Congress must craft a national data breach notification bill. This bill must achieve a sufficient level of pre-emption so that we achieve one national standard rather than gaining a 52nd standard.
It is also important that a national standard does not impose such stringent deadlines that it would require companies to distribute inaccurate information or alert intruders that they are under investigation.
This need not mean watering down state laws. Consumers who face financial harm upon a breach should be notified without unreasonable delay.
I am hopeful we can work together to protect the privacy of Americans, the financial information of consumers, the assets of private businesses and our critical infrastructure. What we do will not be a panacea, but it will be a critical first step.