Congress Must Pass Cyber Infosharing Law to Address ‘Largest Threat,’ Rogers Says
If Congress doesn’t address information sharing to further U.S. cybersecurity, “we will do more harm to the next generation’s ability to make it in the world” than if “we fail to do any other thing,” said House Intelligence Committee Chairman Mike Rogers, R-Mich., Thursday at a cybersecurity panel sponsored by The Washington Post. He said cyberattacks are the “largest threat” the country faces. “We have worked ourselves into a frenzy” over these cryptography revelations, he said, referencing the classified information made public by Edward Snowden this summer. “We are raping the next generation’s possibility for economic prosperity.”
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
"It was tough enough for the chairman to get CISPA through when it was calm, and now it’s white-water rapids,” said Gen. Michael Hayden, former director of the CIA and the National Security Agency, referring to the Cyber Intelligence Sharing and Protection Act the House passed in April (CD April 19 p6). He lamented the difficulties of passing such an “important” bill after the Snowden revelations. “It’s not going to happen,” he said. “We have lost a whole congressional cycle” for cyber legislation because of Snowden. Rogers said, however, he was still hopeful he could work with the Senate on an information sharing bill.
Much of the discussion was on Snowden’s revelations and their impact on both cybersecurity and surveillance policy. The summer’s revelations had a “significant, and in many cases irreversible,” impact on country’s security, Rogers said. Hayden said the content of Snowden’s revelations had the potential to do far more damage, and for longer, than most leaks. “Most leaks have to do with volumes of water,” he said. “But this is about the plumbing. This is someone who’s not leaking particular secrets, he’s leaking how it is we gain intelligence. This is going to be the gift that’s going to keep on taking from American intelligence."
"There’s always going to see a tension between the privacy question, both domestically and globally, and the security question,” Hayden said. “Virtually every government in the world does these kinds of things,” he said. “Most of them do it with much less discretion than the U.S. applies.” Rogers agreed, saying Congress does an impressive job in its oversight of the intelligence agencies in the administration. “There is no system that is more overseen than these programs,” he said. “You have some folks who have taken oaths and follow them seriously.”
Rogers said he was working with the other House and Senate Intelligence Committee leaders, Sens. Saxby Chambliss, R-Ga., Dianne Feinstein, D-Calif., and Rep. Dutch Ruppersberger, D-Md., to develop legislation that would make the NSA’s activities more transparent. “There are some things we had classified that maybe we can declassify to give the broader public a sense there is true oversight, and lots of checks and balances,” he said. “We've spent the summer trying to find these confidence builders that we think can address the public concerns and still protect these programs.”
Hayden said he had expected such a “leak,” because of how much emphasis the government placed on sharing intelligence among different areas of the government. “There wasn’t anyone of my background who didn’t believe this was going to happen,” he said. Rogers and Hayden also suggested Snowden must have been helped by another government. The extent of what he took and what he accessed “raises concerns that there may have been help in his search queries,” Rogers said.
Hayden also discussed reports that the NSA introduces vulnerabilities into the encryption standards developed by the National Institute of Standards and Technology. He said the NSA operates on an understanding that there are some vulnerabilities that can be cracked by “nobody but us.” “You look at a vulnerability through a different lens if, even with the vulnerability, it requires substantial computer power to break it,” he said. If a vulnerability requires four acres of computers to crack, then “that’s a vulnerability we are not ethically or legally compelled to patch, and it’s a vulnerability ethically and legally we can exploit to keep Americans safe from others,” he said.
Craig Mundie, senior adviser at Microsoft, discussed his company’s involvement in arguments that the First Amendment gives the firm the right to disclose the number and type of surveillance requests it receives as long as the content or surveillance target isn’t disclosed. The federal government urged the Foreign Intelligence Surveillance Court to deny those requests this week (CD Oct 3 p6). Mundie said existing government rules “make it impossible for companies to adequately convey to customers that yes, some of this goes on, but the numbers of things involved are not nearly of the magnitude that you would believe when you hear all of the allegations and the reporting in the post Snowden environment.” Companies recognize a “delicate balance” when it comes to information sharing and increased transparency about these governmental requests, he said. But these companies don’t care about making individual cases transparent, he said, they want to release collected statistics so “people would realize this is not some superscale, wholesale activity that is likely to impinge on most people around the world."
Mundie also criticized the Electronic Communications Privacy Act, which he said makes it illegal to counter cyberattacks with offensive measures. “One side effect of the way it was written is that it’s illegal to chase bad guys up the wire, even if you have the capability to do so. It’s illegal to shoot back,” he said. “There’s no legal basis for self-defense on the network. It’s kind of crazy, and as a society we're going to have to address that.” Rogers said he would love to have the private sector working to fight back against cyberattacks, but he fears the attackers would respond with attacks on the country’s “weakest links.” Those companies have the protections and the infrastructure to survive countermeasures, he said, but “it’s everyone else who’s going to pay a price,” because “we are not ready."
The best thing the country could do to reduce cyberattacks isn’t better technology or better manpower, said Jane Lute, former deputy Homeland Security secretary. Good cyberhygeine, such as limiting administrator permissions or patching systems in real time, can reduce a company’s attack service by 80 percent, she said. “It’s like brushing your teeth, flossing and going to the dentist, and we're just not doing it,” she said. The financial sector had done an excellent job in its cyberdefense, but the critical infrastructure sector hasn’t reached that point, said Lute. “There’s still a lack of knowledge, still a lack of practice, and that’s what must change.” Across several sectors, she said, good business practice isn’t enough to incentivize strong cyberdefenses, and the government needs to address that. -- Erin Mershon (emershon@warren-news.com)