The coincidental timing of the recent California summit between President Obama and his counterpart Xi Jingping and the Edward Snowden/NSA ordeal has brought the many issues surrounding cyber security back into focus. National security and American competitiveness are deeply intertwined; hacking and theft of data from the Defense and private industry is a constant concern. While the United States will certainly remain the target of cyber attacks from a range of perpetrators, there are actions that can be taken to limit the damage.
The Cyber Intelligence Sharing and Protection Act (CISPA) was a bill proposed both in the 112th and 113th congress and passed by the House on April 26, 2012 and again on April 18, 2013 however it failed to pass in the Senate both times. The legislation attempted to allow for greater information sharing between private businesses who were victims of sophisticated cyber attacks and the federal government. Much of the bill was focused on protecting energy companies and firms in the defense industrial base, both of which are included in the Department of Homeland Security’s list of 18 critical infrastructure sectors.
The theft of intellectual property poses both a national security risk and an American competitiveness issue because it closes the gap between America’s military and economic advantage over the rest of the world. For countries like China and Russia, it is much cheaper and faster to set up a hacking cell then fund research that could take years to see results.
Since much of the intellectual property belong to private companies, what responsibility should the government have in protecting it?
On March 17, 2011 the computer security firm RSA announced that it had been hacked by a “highly skilled, well-funded group with a specific agenda.” RSA makes encrypted keys used by the U.S. government, the intelligence community, many firms in the defense industrial base, and fortune 500 companies. In January of this year Apple admitted they had been hacked along with Twitter and Facebook. Bloomberg reported the attack originated in Eastern Europe from a cyber-gang intent on selling the information they collected.
Large companies may be better prepared to protect their property from theft but medium or small firms do not necessarily have the resources to fend off sustained cyber attacks. Coordination between the private and public sectors is necessary so these smaller firms can also be protected. Sharing best practices and information on common threats is where the government could step in and help.
Even without concrete legislation being passed, steps have been taken to increase information sharing, especially in the defense industrial base. In 2011 the Pentagon launched their “Defense Industrial Base Enhanced Cybersecurity Services” program in which defense companies would send reports on attempted and successful hacking into their networks. After being scrubbed of private data and ensuring the victim company would remain anonymous, the information would be shared with other participating companies on the signatures of the attackers. Unfortunately only a handful of companies participated in the program out of the thousands of firms in the defense industrial base.
While CISPA failed to become law due to arguments that it violated the privacy of citizens, it still passed the House with overwhelming support from both sides of the aisle. The issue of maintaining American cyber security is too important for Congress and the White House to simply allow potential protections to flounder and die within governmental bureaucracy. The government has a responsibility to protect the country’s security, and the theft of major weapons systems data certainly justifies at least a political response.
Both Congress and President Obama know how important passing legislation is to protect our country’s intellectual property and the competitive advantage we hold over the rest of the world, but striking a proper balance of security, privacy, and the role of government has been tricky. A proactive and well-deliberated approach to cyber legislation is much more desirable than a reactive and hasty response following a major cyber attack. As Senator Jay Rockefeller of W.Va. said, “There is too much at stake for Congress to fail to act.”