Cybersecurity legislation needed to safeguard personal information

In representing Texas’s 4th Congressional District, I have the privilege of meeting many hardworking Texans who together represent all aspects of our diverse private sector.

Manufacturers, healthcare professionals, information technology specialists, small-business owners and others want to focus on running and growing their businesses, investing in research to spur new innovations and using technologies to increase productivity, all in an effort to make America more prosperous.

But in order to remain successful, these individuals and businesses are forced to devote already limited resources to securing their networks and protecting their intellectual property and customers’ personal information from cyber intrusions.

America’s cybersecurity posture largely depends on the security of our private networks.

Time and again, cyber criminals, hacktivists, and nation-states such as Iran, China, Russia, and North Korea target our vast and diverse private sector, which is home to a trove of personal information about each American. The recent cyber breach of health insurance giant Anthem exposed the personal information of up to 80 million individuals — approximately 1 in 4 Americans.

We are not talking about a handful of attempted cyber intrusions. The private sector must defend against millions of attempted intrusions per day, thousands of attacks per second. However, the private sector cannot defend their networks against nation states alone.

We’ve increasingly seen personal information stolen, access to information disrupted and certain computers destroyed. Yet the threat landscape is rapidly evolving and the integrity of digital information is increasingly being questioned. Director of National Intelligence James Clapper recently stated, “in the future, we’ll probably see cyber operations that change or manipulate electronic information to compromise its integrity.” The implications of this are enormous: for example, a doctor pulls up your electronic medical records to discover that they have been changed and you have been receiving the wrong dosage of a lifesaving medicine. Now imagine this happening at every hospital in the United States. Such attempts to maliciously compromise personal information represent just one aspect of the cyber threat landscape.

Attacks on the control systems that operate our critical infrastructure such as gas pipelines, electric grid, water supply, bridges and dams are growing more sophisticated.

The private sector owns and maintains roughly 85 percent of the nation’s critical infrastructure. On a daily basis, our critical infrastructure is confronted with threats from terrorists, rogue states and hackers who wish to bring down these vital systems to our economy.

We’ve been fortunate so far, as our critical infrastructure has remained largely intact. Yet, we cannot continue to rely on good fortune when it comes to safeguarding these key components of everyday life.

The threat is clear, and for years the private sector has been on the front lines trying to secure their networks. Now, businesses seek to share cyber threat indicators with one another and with the federal government to prevent known malicious hackers from breaking into their systems, all in an effort to better secure Americans’ personal information and protect the infrastructure which keeps our economy running.

Congress has been asked to grant liability protection to private sector participants when they cooperate with one another by sharing cyber threat indicators. They want a voluntary system that allows them to collaborate with one another and with the federal government to help defend the sensitive information they must protect.

As of now, a legislative solution has been elusive, partly because civil liberties advocates worried that prior proposals did not go far enough in safeguarding personal privacy.

While such concerns of the past are understandable, going forward, I believe the legislation that the House Homeland Security Committee is drafting can equally protect privacy and increase cybersecurity. Inaction is what most threatens personal information. Under the status quo, personal information remains vulnerable. Securing Americans’ personal information and privacy is precisely what compels congressional action.

Both the U.S. Chamber of Commerce and the American Civil Liberties Union supported legislation enacted last Congress, the National Cybersecurity Protection Act of 2014, which codified the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) as a federal civilian interface for sharing cybersecurity risk information.

Through the NCCIC, private companies and the federal government can share such information with one another to protect our personal information and critical infrastructure.

Unlike the National Security Agency, the DHS is a civilian entity with a robust privacy office that ensures compliance with all privacy laws. Therefore, the Homeland Security Committee is well-positioned to pass legislation that grants liability protections to the private sector for sharing cyber threat indicators through civilian portals like the NCCIC.

The cyber threat sharing legislation produced by Congress should enhance the capabilities and relationships that the private sector has worked so hard to develop while establishing procedures to safeguard personal privacy.

If the private sector does not have access to real-time cyber threat indicators — the details of other attempted intrusions — the security of our networks will continue to be in grave danger. The time is now to pass legislation that protects personal information, prevents widespread disruption to our economy and safeguards our homeland from constant cyber threats. 

Ratcliffe has represented Texas’ 4th Congressional District since 2015. He is chairman of the Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, and sits on the Judiciary Committee.