Public-private cooperation crucial to protecting US from cyber crimes

Getty

Rarely does a week pass without news of a massive theft of credit card numbers from a retailer or a dire warning about the vulnerability of our critical infrastructure to cyberattack.

The damage these massive data breaches have caused is astonishing and continues to increase. Tens of millions of Americans have already been victimized; theft of intellectual property is on the rise and estimates of economic damage range into the trillions of dollars.

Every sector of our economy is affected, and the list of victims keeps growing. In just the past few weeks we’ve seen news reports of cyberattacks against Sony, UPS, JP Morgan and Home Depot. We’ve also seen reports that terrorist group the Islamic State in Iraq and Syria (ISIS) has threatened to launch cyberattacks against U.S. computer networks.

FBI Director Jim Comey said in May that there are only two types of big corporations in America, “Those who have been hacked by the Chinese, or those who don’t yet know they’ve been hacked by the Chinese.”

And he’s just talking about large companies that already invest significant resources to combat cyber threats. Small companies are similarly besieged: by hostile governments, sophisticated cyber criminals and malicious hackers. In fact, the Internet security company Symantec found that 61 percent of email fraud attacks are aimed at small- and medium-sized businesses.

Beyond draining bank accounts and stifling innovation, the national security challenges in cyberspace are substantial. Terrorists and nation state adversaries are actively pursuing cyber weapons, and U.S. government information is a prime target for theft.

This summer, the government contractor USIS suffered a major breach of its systems. USIS is the largest provider of background checks for the U.S. government, with access to information on a huge number of government employees who have security clearances.

In response to these cyber threats, I joined with Sen. Saxby Chambliss (R-Ga.), vice chairman of the Senate Intelligence Committee, to develop a bill that will improve public and private information sharing about cyber threats.

Our bill, the Cybersecurity Information Sharing Act, was approved by the committee on a bipartisan 12-3 vote in July, and I am working with colleagues on both sides of the aisle to bring this bill to the Senate floor by the end of the year.

The bill provides legal authority for companies to share defined types of cyber-related information with other companies and the government, and it provides companies with liability protection for such sharing only when done for a cybersecurity purpose and consistent with privacy rules laid out in the bill and further defined in procedures written by the attorney general.

Sharing cannot be a one-way street. The bill requires the Director of National Intelligence to increase sharing of classified and unclassified cyber threat information with the private sector. Companies need information that the government possesses about cyber threats to protect themselves from sophisticated adversaries.

Our businesses must also have the ability to better understand the particular cybersecurity threats that they face and to take steps to counter them. The bill allows companies to monitor their own networks, share threats and defensive information and apply security techniques, or countermeasures, on their own systems to prevent cyberattacks from having their intended effect.

These steps are completely voluntary, but company actions to monitor and share information consistent with the privacy protections in the bill are protected with legal immunity. The specter of frivolous litigation should not be an obstacle to increased cybersecurity efforts in the private sector.

A critical element of cybersecurity is the ability of individuals and companies to better protect the private information on their own networks. This bill aims to accomplish that goal.

Moreover, the bill includes several critical privacy protections to ensure that the sharing of cyber information does not open the door for misuse. The bill has clear requirements for anyone who shares information about cyber threats to remove irrelevant, personally identifying information before sharing.

The government could only use cyber information for specified cybersecurity purposes, and any information shared with the government will not be used to write regulations or launch investigations outside the cyber context. The bill also requires reviews of government information sharing protocols and practices by watchdogs inside and outside the executive branch.

This bill will not end the threat of cyberattacks or the damage they cause. But it is a first step to better information sharing and improving our nation’s cybersecurity. We have an opportunity to make a difference, and we must act now.

Feinstein is California’s senior senator, serving since 1992. She is chairwoman of the Intelligence Committee, and also sits on the Appropriations; the Judiciary; and the Rules committees. She is the author of the Cybersecurity Information Sharing Act.