Defense Industrial Base Wary of Cybersecurity Laws
That the United States is capable of responding to this threat remains to be seen.
President Barack Obama earlier this year released an executive order aimed at guarding critical infrastructure in private hands from cyber-espionage and attacks. It followed inaction on the part of the 112th Congress, which tried, but failed, to move any legislation that could assist companies that are trying to fend off sophisticated adversaries who are bent on infiltrating their networks.
The executive order was “really just half a loaf,” said Paul Martino, an attorney who co-leads the privacy and security practice at the Alston & Bird law firm in Washington, D.C., and a former cybersecurity adviser to Sen. John McCain, R-Ariz. Legislation will still be needed to allow the private sector to freely share information on threats, he added.
The key component of the Cyber Intelligence Sharing and Protection Act that failed in the 112th Congress, and the version reintroduced in the current session is, as the title suggests, information sharing, said Martino and other experts interviewed.
“The most important part of the bill is that it is trying to get the information sharing regime right, and trying to do it in a way that is going to be useful, [and] going to help identify threats and prevent attacks,” Martino said.
Much of the bill appears to be aimed at entities such as energy companies that control electric grids, but the defense industrial base is a part of the Department of Homeland Security’s list of 18 critical infrastructure sectors. The responsibility for protecting the entities on the list of 18 is spread out among various federal departments and agencies. Naturally, the Defense Department is charged with overseeing the defense industrial base.
“With the possible exception of the electricity grid, there are no bigger targets than the defense industrial base,” said former Ambassador David J. Smith, who now serves as the director of the Potomac Institute’s Cyber Center. The institute is an Arlington, Va.-based think tank.
The widespread theft of intellectual property from U.S. defense firms by hackers in China and Russia are operations of strategic importance, Smith said.
“We are talking about nation states targeting the U.S. government and the holders of its intellectual property,” he said. China and Russia are trying to equalize their technology with the United States and cannot do it on their own.
“The only way they can even hope to do that is to steal it,” he said.
The question now is, since most of this intellectual property is in private hands, what is the government’s role in protecting it?
“To argue that the government should stay out of this is absolutely absurd,” Smith said. “The government is in charge of national security. Read the Constitution.”
However, the debate in 2012 amongst lawmakers eventually boiled down to conservatives and liberals arguing over whether this was big government seeking to impose more onerous regulations on industry, Smith said.
“If we don’t have the legal authority to do some of the things we need to do, then we have got a problem,” Smith said.
Martino said what the executive order can’t do is provide the incentives businesses need to participate in voluntary information-sharing programs. They need those protections, or the data they share could be used to the advantage of rival businesses.
They need assurances, for example, that documents gleaned from Freedom of Information Act requests couldn’t be used against them.
“If a company’s network is being attacked repeatedly, it helps everyone that has critical infrastructure to know that. It helps no one if they know the second they release that information, it is subject to some FOIA request,” Martino said.
There is a risk of stock prices dropping or damage to brand names. “There are strong disincentives to sharing,” he added.
The Defense Department was ahead of other agencies when it launched a voluntary information-sharing program in 2011, the Defense Industrial Base Enhanced Cybersecurity Services program.
Participating defense companies in the program send reports of successful or failed network intrusions to the Defense Department, which scrubs it of private and sensitive data, ensures the identity of the victim company remains anonymous, then pushes out information about attack signatures to the other participants.
However, companies that took part initially numbered in the dozens, while there are thousands of firms that do business with the Pentagon. After one year, the Defense Department announced that it was expanding the program.
Clark DeHaven, senior director of corporate strategy at the cybersecurity firm, LGS Innovations, said there are still a lot of concerns amongst companies about information sharing, particularly when it comes to handing over emails and personal communications to a third party.
Some of these messages are classified as well. Messages would have to be scrubbed for private or other compromising data.
“A lot of companies are saying, ‘Boy, that is a lot of redaction. That is a lot of work on our part. What is the risk if we do this? What is the impact if we do this?’ But you need to balance this with, ‘What is the risk if we don’t take action?’” DeHaven said.
While the large companies — the Boeings, the Lockheed Martins and the Northrop Grummans of the defense world — do a relatively good job of protecting their sensitive data, medium and small companies don’t have the same resources, DeHaven said.
“If we leave some of the companies on their own to fend off the wolf, if we don’t get this sharing capability, I think we are going to miss an opportunity to counter what is a very critical issue,” he said.
He pointed to the comments of a QinetiQ North America executive, who, after a Bloomberg report on how the company had been infiltrated by hackers for a number of years without knowing it, became a poster child of ineffective cybersecurity practices in the industry.
The executive said he could use up all the company’s resources trying to fend off the hacking onslaught. There is no end to the amount of money it could spend on consultants and technology. While QinetiQ received all the bad publicity, it is by no means alone in being penetrated by hackers, DeHaven said.
There is strength in numbers, he added. Small and medium-sized firms can band together in associations to share best practices and information on threats.
“Sometimes the best collaboration is done in private industry where there is a common goal,” he said.
But Smith said there has to be some legislative output this year.
As a former Hill staffer for Sen. Jon Kyl, R-Ariz., and a director at the right-leaning Potomac Institute, Smith said his small government, conservative bona fides are solid. But this is an issue that is in need of action.
“This is not a Republican versus Democrat, liberal versus conservative, or pro-business verses public interest issue,” he said.
But it turned into that familiar split during the 112th Congress, he added.
The problem can be tackled without strict laws, Smith said. Industry is saying, “Please don’t give us a bunch of rules and regulations that are going to be outdated literally before the ink dries,” he said.
Technology moves fast. Congress moves slowly. It is best to have broad mandates, he said.
The legislation should set up performance-based goals companies should meet, and make them structure their solutions so their defenses against network intrusions can be tested. But they should be free to come up with their own ideas, Smith said.
There are some positive signs this year as lawmakers again try to pass cybersecurity legislation, he said.
Another version of CISPA (H.R. 624) passed the House in April by a margin of 288-177. The Obama administration wasn’t happy with the privacy provisions and threatened to veto it. Some pundits declared the bill dead. Others believe it still has a chance.
Martino said the White House veto threat “wasn’t as reactive.” It took awhile before President Obama issued it. The hesitation was a positive sign, as was the wide approval margin that included votes from both parties.
This year’s bill is different in that it has a number of amendments to address privacy and civil liberty concerns, he said.
Smith saw a second bill introduced in the Senate, the Deter Cyber Theft Act (S.884), as another positive sign.
This measure takes a different approach. It calls for the director of national intelligence to produce reports on who exactly is carrying out the hacking, and provides for sanctions against companies and individuals that are responsible. Anyone attempting to export technology into the United States that used stolen data would be thwarted from doing so.
Smith said most of the bill probably could be done by the Executive Branch without the need for legislation. Nevertheless, the fact that it is co-sponsored by Sens. McCain, Carl Levin, D-Mich., Jay Rockefeller, D-W.Va., and Tom Coburn, R-Okla., is a sign that a spirit of bipartisanship for cybersecurity legislation is possible this year.
Martino said: “I think there is a little bit of hardball being played, especially with the veto threat, but I am hopeful there is a better landscape in this Congress and a better opportunity to actually move something on a bipartisan basis.”
Companies have to realize that they are private property, but they are also part of a national asset. If they don’t get a handle on the intellectual property theft problem, more restrictive rules could be on the way, Smith said. “The very thing the companies are afraid of is what they are going to precipitate upon themselves if they don’t take it upon themselves to do something.”
DeHaven said: “We hope we can come together and find solutions to the proprietary and privacy issues, and it won’t take some sort of cyberdisaster to suddenly wake us up. … The threat is only growing more sophisticated.”