WASHINGTON — The growing cyber capabilities of foreign forces demonstrates the need for information sharing between U.S. federal agencies and private-sector companies to protect commercial networks from cyber attacks, a House Intelligence committee chairman said Wednesday.
Mike Rogers, R-Wis., addressing a panel at the Heritage Foundation, said transparency between the technology and business industries and the federal government is critical to protecting nation’s infrastructure.
“If we wait much longer, we will be talking about what we have to do to recover from a catastrophic event,” he said. “There are too many capabilities growing. There’s too much data to track. Our private sector needs that extra help when it comes to the information we share.”
Rogers and top ranking Democrat Dutch Ruppersberger of Maryland pushed the Cyber Intelligence Sharing and Protection Act through a House committee last year. That bill encouraged private companies to voluntarily share cyber threat information with federal agencies, such as the National Security Agency. It also exempted private firms from responsibility for how the government uses acquired intelligence.
A number of private companies — including Facebook, IBM and Lockheed Martin — support Rogers’s legislation.
Rogers said his bill will be voted on the House floor next month.
It is part of a larger bipartisan effort to shore up protection of the nation’s information infrastructure. Sen. Joe Lieberman, I-Conn., has introduced the Cybersecurity Act of 2012, which would give the Homeland Security Department the ability to regulate information security in the private sector.
Sen. John McCain, R-Ariz., criticized the Lieberman legislation last month for giving expanded powers to the federal agency. Instead, McCain, suggested cybersecurity should be left to the more “capable” National Security Agency.
“You have this small IT shop trying to track malicious activity,” Rogers said “Imagine how much stronger it would be if we could get them to see what the NSA[National Security Agency] is up to in a secure and classified way, so they could apply that knowledge to protect their networks.”
Gus Coldebella, a senior fellow at the Homeland Security Institute at George Washington University, reinforced Rogers’s point. The private sector owns 85 percent of the information infrastructure the bills address, Coldebella said. The intelligence community can protect those companies and anticipate other possible threats, if the companies share, he said.
“We haven’t been able to put these two bodies of knowledge together,” Coldebella said. “The sharing within the government is difficult, let alone the sharing between the government and the private sector.”
The prospect of oversharing information with the federal government worries private companies, he conceded. The collected information would not run through a regulatory system ensuring it is not used beyond what a new law intends or allows..
Rogers said the scope of cyber threats has grown over the past five years. Iranian inspectors discovered Stuxnet, a computer worm, in computers within a uranium enrichment plant in 2010.
With enough investment in cyber capabilities, he said, countries like China, Russia and Iran, “could steal, shutdown and break a lot of stuff.” His concern rests in entities that invest in intelligence capabilities to shut down other networks.
“You have someone who has the capability to do massive disruption and the rationale for it,” he said. “That’s what keeps me up at night.”
Michelle Richardson, legislative counsel for the American Civil Liberties Union, criticized Rogers’s bill, saying the information-sharing component encourages companies to provide personal and private data to the government with very little oversight.
She said any cybersecurity bill Congress passes needed to “explicitly” make sure the military had no role over domestic information collection. She called for more clarity in what information is shared between federal agencies and the private sector.
Richardson said the gathered information would not be limited to the tangible actions such as threats on electric grids.
“Any bad act on the Internet that affects millions of Americans every day now becomes a cybersecurity event that could land people’s private information in government hands,” she said.
Rogers said he expects his bill to be pass the House and Senate before the end of the year.