This past fall, U.S. intelligence officials unveiled a report to Congress on economic espionage that shocked many in business and government circles. The report’s findings weren’t as surprising as the bold manner in which officials explained what security specialists in government, private firms and academia have known or suspected for years: Foreign spies are stealing U.S. economic secrets in cyberspace.
We’re not talking about random pilfering but aggressive targeting of economic data through computer network intrusions. Efforts to steal U.S. proprietary technologies, which cost millions of dollars to develop and represent tens or hundreds of millions of dollars in potential profits, are on the rise, according to the report.
At the time of the report’s release, Robert “Bear” Bryant, formerly the national counterintelligence executive in the Office of the Director of National Intelligence, pointed to a way forward. He said the federal government needs to be sharing information with private-sector entities more robustly — and vice versa — about threats in cyberspace.
The House is positioned to pass a bill that would chart a sensible course to greater cybersecurity. The Cyber Intelligence Sharing and Protection Act, sponsored by Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.), has more than 100 co-sponsors. The business community has also embraced the Rogers-Ruppersberger bill because it seeks to answer a fundamental question: How can policymakers truly help companies protect their computers and networks against global cybersecurity threats? The U.S. Chamber believes that this legislation would help tip the scales in businesses’ favor against online raiders who seek to steal trade secrets or potentially disrupt infrastructure networks.
This bill would make limited and practical changes to policy — far from creating a “Wild West” of cyber information-sharing, as some claim. It would establish an information-sharing framework that is strictly voluntary and would impose no new federal mandates on private citizens or business entities. Further, this legislation contains an “anti-tasking” provision that would guard Americans’ privacy by prohibiting the government from compelling private companies to hand over personal information. The bill would encourage companies to anonymize and minimize the information that they do share with appropriate entities. Indeed, a central purpose of this bill is to ensure the security and resilience of a computer system or network, rather than collect and monitor personal information.
Reps. Rogers and Ruppersberger have written their bill in a bipartisan and transparent manner, and continue to seek common ground with privacy and civil-liberties organizations on issues such as the definition of cyber threat information and how the government can use the information that it receives.
Most important, the Rogers-Ruppersberger bill would tackle the needs of companies to receive intelligence to protect their computer networks and customers’ personal data from malicious actors. Businesses need timely and actionable information so that they can mitigate advanced and sophisticated attacks coming from amply resourced criminal syndicates and foreign governments. Likewise, the bill wisely incents the private sector to share cyber threat information with only authorized federal partners to improve the government’s ability to protect itself, the business community and the nation. It would also give businesses much needed certainty that specific cybersecurity information shared with the government would not lead to frivolous lawsuits or be used to regulate them.
The House has a special opportunity to take a major step on cybersecurity by removing legal roadblocks that prevent the private sector and government from sharing cyber threat information. The Rogers-Ruppersberger bill would give businesses critical tools to enhance security and to better succeed in a tough global economy.
Josten is executive vice president of government affairs at the U.S. Chamber of Commerce.