Nearly 200 senior IBM executives are flying into Washington to press for the passage of a controversial cybersecurity bill that will come up for a vote in the House this week.
“We’re going to put our shoe leather where our mouth is,” Chris Padilla, vice president of governmental affairs at IBM, told The Hill.
“The message we're going to give [lawmakers] is going to be a very simple, clear message: support the passage of CISPA,” he later added.
The Cyber Intelligence Sharing and Protection Act, or CISPA, by House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.), passed out of committee on an 18-2 vote last Wednesday and is expected to come to the floor for a vote as soon as mid-week.
While the bill enjoys strong backing from industry, privacy advocates warn the bill lacks sufficient protections for people’s information online. The White House issued a veto threat against the first iteration of CISPA last year, due in part to privacy concerns.
Despite the opposition, CISPA safely passed the House last year on a bipartisan vote—and IBM intends to make sure it does again this week.
The technology services company runs the information technology networks of major hospitals, banks and electric companies—key infrastructure that lawmakers and security officials warn are top targets for hostile actors to launch a cyberattack.
Big Blue is also the top recipient of U.S. patents and owns a trove of valuable intellectual property that would be enticing to probing hackers looking to siphon valuable proprietary information. A report published by computer security firm Mandiant this year concluded that an elite military unit of Chinese hackers has allegedly cracked into the computer systems of more than 100 U.S. companies and stolen intellectual property.
The company believes the best way to thwart a cyberattack is to encourage companies to share more data about malicious source code and other online threats with the government and their private-sector peers so they can take steps to address it, according to Padilla.
“It’s our experience that the most effective thing you can do when a cyberattack occurs is to share information quickly between government and industry and between industry actors in real time in order to find where the attack is coming from and to shut it down,” he said.
"The key really is when an attack happens—and they will happen—is detecting it, and shutting it down and preventing the loss of data as quickly as possible. That's a question of information and it's a question of speed," Padilla said. "And often, the government will have very timely and critical information that banks or telecommunications companies need to know that there is an attack. Other times, we detect it first and sharing [information] with the government could serve to warn others that there may be an attack."
But companies are currently hesitant to share information about cyber threats they spot on computer networks with the government because they fear it may put them at risk for being sued. CISPA would address that concern, Padilla said, by granting companies liability protection from lawsuits if they share threat information with the government, allowing firms to get the assistance and data they need faster.
If a cyberattack is launched against a key piece of infrastructure, “you don't want a bunch of lawyers sitting in a room arguing whether to tell the government,” he said. “You want there to be clear and established procedures. CISPA will help facilitate that.”
But the cyber information-sharing bill has rankled privacy advocates from Washington to Silicon Valley. One of their chief concerns with the bill is that it would allow companies to share threat information directly with the military, including the National Security Agency, without being required to take steps to remove personally identifiable information from that data. Privacy advocates warn that could lead to people's email and IP addresses, names, and other personal information being inadvertently passed on to the NSA without their knowledge.
The American Civil Liberties Union, Center for Democracy and Technology and Electronic Frontier Foundation argue that a civilian agency, namely the Homeland Security Department (DHS), should be the first recipient of cyber threat data from companies. DHS would then pass on that data with other government agencies and departments.
Privacy advocates argue that a civilian agency is subject to more oversight relative to the secretive spy agency.
Reps. Jan Schakowsky (D-Ill.) and Adam SchiffAdam SchiffHeads of Intel panel diverge on Trump–Russia contacts Overnight Cybersecurity: Intel panel's leaders sharply divided on Russia | Governors talk cyber | NSA chief wants to loosen rules on cyberweapons Dem questions FBI chief's commitment to Russia review MORE (D-Calif.) proposed a set of privacy-focused amendments during the markup of CISPA last week, which did not receive enough votes to be adopted into the bill. One of the amendments by Schakowsky would have ensured that DHS is the first recipient of threat data from companies and would relay that information to other agencies.
"I think if you're looking just to maximize efficiency and you don't care about anything else, then we should give the job to NSA. But we have a separation of civilian and military in this country when you're talking about domestic cyber information," Schiff said at a press conference after the House Intelligence panel's markup of CISPA. "If we wanted efficiency only, then we wouldn't have a Fourth Amendment."
CISPA would “shift the control of the cyber program from civilian hands to a secretive military agency," said Greg Nojeim, senior counsel for the Center for Democracy and Technology, last week. "It'll be very difficult for there to be any transparency or any accountability if that shift happens."
Padilla, however, says companies need to be able to share threat data directly with the NSA “because that’s where the expertise is.”
“It really is a simple matter. The expertise in the U.S. government on cybersecurity largely rests in one place, and that's the National Security Agency,” he said. “They tend to know the most, the soonest about cyber threats and I think, frankly, there is a certain amount of feeling in the business community that you should be able to work directly and share information directly with the agency that has the most expertise.”
He said that IBM is open to working with DHS and other civilian agencies on the company’s cybersecurity efforts, but it believes the NSA has the most expertise at this point.
“We don't have a bias. We just want to work with who's got the expertise,” Padilla said.
During their fly-in trip, the executives also plan to press lawmakers to pass comprehensive immigration reform, which would include measures aimed at raising the cap for H-1B visas for skilled workers and freeing up more green cards.