Deal Possible on Cybersecurity If Senate Can Pass Similar Bill, Rogers Says
There’s a future for the Cyber Intelligence Sharing and Protection Act (CISPA) if the Senate can pass a comparable bill, said House Intelligence Committee Chairman Mike Rogers, R-Mich., who authored the measure. Though his bill has not gained traction in the upper chamber, if Senate Intelligence Committee Chairwoman Dianne Feinstein, D-Calif., can pass a companion bill, the two could work out a deal, Rogers said on a Tuesday panel at the U.S. Chamber of Commerce. “If we can get anything close to that, anything, we'll get it in conference committee and Senator Feinstein and I will work it out, I'm convinced of it,” he said. “We've just got to get it to the next place."
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Rogers said he has not given up on CISPA: “If we can’t get anything else done, we have got to foster this information sharing.” He said he had been in close conversation with Feinstein on the issues, including at a dinner Tuesday night. The two have differences, he said, but “we'll get there.” Rogers’ bill would increase cyberthreat information sharing between the public and private sectors, which cybersecurity experts say is needed to protect U.S. networks from attacks. A similar bill passed the House last year but failed to get a vote in the Senate. That chamber is still “lagging behind” on understanding the cyberthreat, Rogers said.
The U.S. and its companies face cyberattacks everyday, Rogers said, and although CISPA would not be the “end-all, cure-all” for the problem, it would be a “very important part of upping the private sector’s game and upping the government’s game” with respect to cybersecurity. “We are getting absolutely ravaged every single day,” he said. “And it’s morphing, and that’s very, very concerning.” Rogers pointed to Iran, which he said has the ability to “do very devastating, destructive cyberattacks, and they have used it outside of their own country.” He also praised a bill from Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., and ranking member John Thune, R-S.D., that would codify part of the administration’s executive order and that the committee passed in July (CD Aug 1 p1). Rogers said he was encouraged by the bill’s “light touch,” taking the limited regulatory requirements as a “good sign.”
Former National Security Agency contractor Edward Snowden’s revelations “clearly hurt our chances to have an unconfused debate about what we're trying to accomplish” with regard to cybersecurity, Rogers said. After the revelations, he said, “we spend most of our time fighting the misinformation of the facts.” He said the constituents he meets don’t trust the government, and it has been a task just to “keep the doors open” at the NSA, let alone to extend the agency’s ability to counter cyberattacks. NSA experts “don’t monitor the domestic Internet usage of Americans. They do not,” Rogers said. “Government really doesn’t care what you're talking about in your email, they don’t care what you're posting on your Facebook. They are looking to stop the next terrorist attack, and with the sheer volume of info that flies around the world today, you can imagine how difficult this is.” NSA Director Keith Alexander said at a separate Billington cybersecurity conference Wednesday that Congress must enact legislation to make it easier for the government and industry to share cyber threat information. (See separate report in this issue.)
But information sharing with respect to cybersecurity can’t be modeled on existing information sharing efforts in counterterrorism, said Michael Leiter, former director of the National Counterterrorism Center at the Office of the Director of National Intelligence. Counterterrorism information sharing is “too slow” to work well in the cyber landscape, he said. “That is a recipe for failure,” since cyber is “exponentially faster,” he said. He also countered remarks from former Coast Guard Commandant Thad Allen, who said at the U.S. Chamber event the country isn’t likely to see “the next Pearl Harbor” in cybersecurity, because Pearl Harbor was a surprise. No one will be surprised when the U.S. is subject to a massive cyberattack, Allen said. But Leiter said, “I get that we haven’t had the infrastructure collapse, but we're having a Pearl Harbor today. It just happens to be a Pearl Harbor of slow moving deadly gas rather than things blowing up. We are being robbed blind.” He said the nation’s risk management is “badly, badly behind.”
Public-private partnerships, including those in the cybersecurity landscape, are often discussed in contradictory ways, said Anne Neuberger, director of the NSA Commercial Solutions Center. “They are cited as critical to improving the country’s security, and cited as largely ineffective,” she said. She said the government was committed to picking a clear model and ensuring the companies involved in such partnerships were the best to achieve its goals, and said the government wants “to exhaust the boundaries of what we can achieve.” She said many stakeholders would speak to the value of public-private partnerships in improving cybersecurity, but individual companies would have to weigh the value of engaging with the government in deciding whether to participate in information sharing. She also spoke to the recent revelations that NSA engaged in weakening encryption standards (CD Sept 9 p8). Neuberger hammered her point home twice, in the same words, “One point is important to make clear. NSA relies on the encryption and standards we advocate for, and we advocate for the encryption and standards we use.”