Opinion Pieces

Congress must act to protect against cyberattacks

Washington, March 31, 2015

The Hill

In the virtual equivalent of a jewel heist in which thieves make their way into a heavily defended showroom through the ventilation shaft, cyberattackers are exploiting vulnerabilities in our digital networks to steal millions of Americans’ personal, financial and medical records.

In today’s digitally connected world, America’s businesses, critical infrastructure, government and consumers are at risk like never before — and the threat comes not from a handful of brilliantly misguided miscreants, but from sophisticated criminal enterprises and, most disturbingly, cyber criminals with the full power and resources of national governments behind them.

Target, Sony, Anthem, Premera, JPMorgan Chase — the list of cyber crime victims goes on and on. And by the time you finish reading this sentence, another American company will likely have been attacked, though it will probably not discover the intrusion for another seven months. The cyber world has become a lawless Wild West of malicious computer algorithms, phishing emails and malware. The attacks are profitable and they are escalating. They must be stopped. 

Online attacks are a classic asymmetric threat — offense is cheap and often easy while defense is expensive and difficult. Attackers only need to find one vulnerability, while network operators must plug an ever-multiplying number of holes. That’s why it has become the battlefield of choice for everyone from nation-states like China and North Korea to non-state actors that wreak havoc for fun or profit.

The damage is far from theoretical — businesses lose billions in recovery costs and compromised trade secrets, while their customers can wake up to find their bank accounts wiped out and their identities stolen. Intellectual property that took American companies years to develop is being stolen in a flash. In our home state of California, from the Silicon Valley to Hollywood and everywhere in between, our constituents are feeling the effects of this vast crime spree.

It is long past time for the United States to get serious about our cyber defenses. Currently, if the government learns of an impending cyberattack, it cannot always warn potential private-sector victims. Similarly, when companies fall prey to cyber crime, they are often inhibited from calling the government for help or advising other firms on how to protect themselves. 

Despite a strong effort by the House Permanent Select Committee on Intelligence, last year Congress failed to agree on an information-sharing bill that would address this growing threat while protecting Americans’ legitimate privacy interests. As the new chairman and ranking member of the committee, we are determined to ensure that Congress will be successful this year. That’s why we introduced bipartisan legislation, approved by the House Intelligence Committee last week, that we hope will bridge last year’s divide and create powerful tools for thwarting hackers.

First, the Protecting Cyber Networks Act would authorize private companies to share cyber threat information with each other and with the federal government — though not the National Security Agency or Department of Defense, and only for a cybersecurity purpose. Second, it would require the federal government to share cyber threat information it receives from the private sector in real-time with relevant federal agencies, and encourage the government to share appropriate classified information with private companies to help them guard against known attacks. Third, it would give businesses liability protection for sharing cyber threat indicators when taking reasonable efforts to remove personally identifiable information. Finally, it would allow businesses to operate narrow defensive measures on their own networks to protect against intrusions and attacks.

These provisions — in particular the prohibition on direct sharing to the Department of Defense and NSA as well as the requirement that companies remove personally identifiable information from the data they share — are designed to address some of the key privacy concerns that held up passage of cyber legislation in the last Congress. Our bill would also require the attorney general to develop and periodically review privacy and civil liberty guidelines related to cyber threat information sharing. This will create a privacy North Star for companies to follow and will allow the government to be held liable in court for any intentional violations. Additionally, our bill specifically delineates that these new tools would not grant the federal government any new surveillance authorities.  

By making it absolutely clear what the bill is — a response to the constant destructive attacks on our networks — and what it is not — an expansion of surveillance powers — we hope to finally break the logjam and advance legislation to make our networks more secure. The task of protecting our economy, our private information and our critical infrastructure from cyberattacks simply cannot wait.

Nunes represents California’s 22nd Congressional District and has served in the House since 2003. He sits on the Ways and Means Committee and is chairman of the Intelligence Committee. Schiff represents California’s 28th Congressional District and has served in the House since 2001. He is ranking member of the Intelligence Committee and sits on the Appropriations Committee. Nunes and Schiff are the authors of the Protecting Cyber Networks Act.