Cyberattacks Bring Government Attention to Security Reform

Feb. 22, 2013 -- Recent accusations of a large-scale cyber crime effort by the Chinese government left many wondering what immediate steps the president and Congress are taking to prevent these attacks from happening again.

On Wednesday, the White House released the administration's Strategy on Mitigating the Theft of U.S. Trade Secrets as a follow-up to the president's executive order. The strategy did not outwardly mention China, but it implied U.S. government awareness of the problem.

"We are taking a whole of government approach to stop the theft of trade secrets by foreign competitors or foreign governments by any means -- cyber or otherwise," U.S. Intellectual Property Enforcement Coordinator Victoria Espinel said in a White House statement.

As of now, the administration's strategy is the first direct step in addressing cybersecurity, but in order for change to happen Congress needs to be involved. So far, the Cyber Intelligence Sharing and Protection Act (CISPA) is the most notable Congressional legislation addressing the problem, despite its past controversy.

Last April, CISPA was introduced by House Intelligence Committee Chairman Mike Rogers, R-Mich., and Rep. Dutch Ruppersberger, D-Md. The act would allow private companies with consumer information to voluntarily share those details with the NSA and the DOD in order to combat cyber attacks.

The companies would be protected from any liabilities if the information was somehow mishandled. This portion of the act sounded alarm bells for CISPA's opponents, like the ACLU, which worried that this provision would incentivize companies to share individuals' information with disregard.

CISPA passed in the House of Representatives, despite a veto threat from the White House stemming from similar privacy concerns. The bill then died in the Senate.

This year, CISPA was reintroduced the day after the State of the Union address during which the president declared an executive order targeting similar security concerns from a government standpoint.

In contrast to CISPA, the executive order would be initiated on the end of the government, and federal agencies would share relevant information regarding threats with private industries, rather than asking businesses to supply data details. All information shared by the government would be unclassified.

At the core of both the executive order and CISPA, U.S. businesses and the government would be encouraged to work together to combat cyber threats. However, each option would clearly take a different route to collaboration. The difference seems minimal, but has been the subject of legislative debates between the president and Congress for almost a year, until now.

"My response to the president's executive order is very positive," Ruppersberger told ABC News. "[The president] brought up how important information sharing is [and] by addressing critical infrastructure, he took care of another hurdle that we do not have to deal with."

Addressing privacy roadblocks, CISPA backers said the sharing of private customer information with the government, as long as personal details are stripped, is not unprecedented.

"Think of what we do with HIPAA in the medical professions; [doctors do not need to know] the individual person, just the symptoms to diagnose a disease," Michigan Gov. John Engler testified at a House Intelligence Committee hearing in an attempt to put the problem into context.

No matter how small the amount of private data may be, the ACLU says any data sharing from private companies to the government is too much.

"CISPA does not require companies to make reasonable efforts to protect their customers' privacy and then allows the government to use that data for [undefined purposes]," said ACLU legislative counsel Michelle Richardson in a statement.

"We brought privacy groups like the ACLU to the table, and they said the bill was too broad," said Ruppersberger. "I was disappointed that they did not even talk about some of the things we did do [to address privacy]."

But Ruppersberger argued that the information shared between companies and the government under CISPA would be completely anonymous.

"When we are sharing information it's always formulas, not personal information because that's against the law and we would need a court order to get that information," said Ruppersberger, referring to IP addresses being shared over credit card numbers.

Some technology experts say trusting the government to keep information anonymous is not enough to ensure successful collaboration between the government and businesses.

"It's not enough to say 'we aren't going to violate your privacy'," said Bloomberg government tech analyst Mike Nelson. "There's clearly a need for more incentives to align the needs of citizens and the needs of business."

Nelson believes that under CISPA's current provisions, businesses would be hesitant to share customers' information with the government anyway, no matter how much of the data is anonymous.

He also voiced concern about people thinking the executive order and CISPA would cover all cyber security problems. Passing a bill is one thing, but hitting the ground running without enough trained professionals and implemented technologies is another.

"I worry a little bit that we are putting way too much attention on just one bill," he said. "If we implement the executive order and the bill, [people may think] 90 percent of the work is done, that's not the case."