Capitol Hill Drills Down on Cybersecurity Demands

The goal of the president’s CEO meeting is to hear from the private sector “what they're experiencing, what their concerns are, what their challenges are, what they hope to see in terms of action in Washington,” said Carney. “And he also wants to convey to them how seriously he takes this issue and what he believes the right steps are moving forward. And he certainly hopes that out of this meeting and the many others he has on this topic, that we will build the kind of consensus necessary to compel Congress to take appropriate action,” Carney said. Carney said in Wednesday’s press briefing that cybersecurity is an “enormous priority, one that should have the attention of Congress and that the Congress should act on through legislation that the president has supported but thus far has not made it out of Congress.” The sharing of information and working with the private sector on this issue is “vitally important in the comprehensive approach the president believes we need to take to deal with it,” he said.

Gen. Keith Alexander, commander of the U.S. Cyber Command, said during a hearing Wednesday at the House Armed Services Subcommittee on Intelligence, Emerging Threats and Capabilities that cybersecurity legislation is needed to enhance the government’s partnership with private sector companies. “We can not see the attacks to Wall Street today,” he said. “We need information sharing and liability protections” and incentives would be a “great help.” Alexander said there is a way to ensure the security of the nation’s networks that respects civil liberties and privacy. “We would want to know the fact of the attack and the type of the attack. We don’t want to read emails,” he said.

Alexander said the sequester is having an effect on the government’s ability to hire and retain cybersecurity professionals. “We are getting great people that are building the teams we need. But issues come up with the sequester. Having to furlough the people that are coming in sends the wrong message,” he said. Building and training a cybersecurity workforce is a top priority for U.S. Cyber Command, said Alexander. Other priorities include: establishing a command and control doctrine, maintaining situational awareness, ensuring a defensible architecture, and clarifying the authorities, policies and standing rules for engagement. “We need to work with you to get those right,” he told lawmakers on the panel.

Subcommittee Chairman Mac Thornberry, R-Texas, urged the executive branch to be public and transparent about how it acts on cybersecurity issues. “The more the administration consults with Congress the more we can make these decisions out in the open, the better result we'll have and in addition the more support you will have from the American people,” he said. “The more that is kept secret with some White House paper that is hard to access, the more suspicions there will be as to what the government is doing.”

Congress Must Codify DHS Cybersecurity Role

Congress must pass cybersecurity legislation to bolster the White House cybersecurity executive order and codify DHS’s cybersecurity responsibilities into law, DHS Deputy Secretary Jane Lute told the House Homeland Security Committee during a separate hearing Wednesday. But DHS is continuing to work with the Defense and Justice departments to secure federal networks and help the private sector increase its cybersecurity defenses. “The status quo is simply unacceptable and the federal government is not standing still,” she said.

Lute said legislation is needed to enhance and incentivize information sharing practices, incorporate civil rights and privacy protections, adopt a framework for cybersecurity standards, establish the authority for DHS to protect the .gov domain, and strengthen the tools of law enforcement to pursue cybercriminals. Lute’s comments echoed DHS Secretary Janet Napolitano’s request last week to enact a suite of comprehensive cybersecurity legislation when she testified before the Senate Commerce and Homeland Security and Governmental Affairs committees (CD March 8 p4).

House Homeland Security Committee Chairman Mike McCaul, R-Texas, said he “finally feel[s] that the time is right for Congress to act” on cybersecurity legislation. McCaul said he’s working with Senate colleagues to ensure that the disagreements between the House and Senate on cybersecurity legislation last year won’t sink Congress’s efforts this year. “This is something that is too important to play politics with,” he said. Other members such as House Cybersecurity Subcommittee Chairman Patrick Meehan, R-Pa., and Rep. Peter King, R-N.Y., agreed it’s essential to pass cybersecurity legislation this Congress.

McCaul said lawmakers must “build upon” the president’s cybersecurity order to address the remaining legal barriers, regulatory uncertainties and lack of resources that hinder the nation’s cybersecurity response. Specifically he said Congress must designate more clearly the roles that DHS, Defense and Justice play in defending the nation against cyberattacks. “We cannot allow turf battles to hinder us from developing the defenses necessary to prevent cyberattacks.” McCaul added that he and Meehan are looking at ways to ensure that privacy is protected in any legislation that advances through Congress.

Ranking Member Bennie Thompson, D-Miss., called the president’s cybersecurity order “a positive step forward” but said it will take “legislative action to fully address cyber threats and vulnerabilities to critical infrastructure.” Thompson said he’s concerned that some House members “have not seen the light” with regard to legislation that will help “bolster the nation’s ability to ward off attacks to critical infrastructure.” Thompson objected to the House majority’s decision not to refer the Cyber Intelligence Sharing and Protection Act (CISPA) (HR-624) to the Homeland Security Committee for consideration.

Rep. Loretta Sanchez, D-Calif., asked Lute to explain what DHS’s current role is if a telecom company like AT&T became subject to a “ruinous” cyberattack. Lute said the nation’s telecom providers are among the “most capable industries” with regards to their ability to protect and defend against cyberattacks. “We are in constant dialogue with AT&T and other players across cyberspace,” said Lute. She said if there were an attack against a telecom provider DHS would check to see how well the entity is able to defend itself and then augment its defense by offering relevant threat information. Lute said the private sector has a vast amount of information about cyberthreats and what is needed is a “cyber neighborhood watch” to mitigate attacks to the nation’s private networks. Rep. Yvette Clarke, D-N.Y., later said she firmly believes that DHS’s role “needs clarity.”

Reforming CFAA, Role of Diplomacy in Combating Cyberthreats

Whether the Justice Department needs the Computer Fraud and Abuse Act (CFAA) to go after cybercriminals when unauthorized access is the only crime is ripe for debate, House Crime Subcommittee Chairman Jim Sensenbrenner, R-Wis., said during a subcommittee hearing Wednesday. Sensenbrenner pointed to a hypothetical situation where someone accessed a computer without authorization but did not take any information. “Shouldn’t the Justice Department have a tool to be able to do something about that even though no other crime was committed?” he asked. The CFAA was used to prosecute Internet activist Aaron Swartz -- who committed suicide in January before his trial -- for downloading a massive archive of subscription academic articles, though Swartz’s name didn’t come up in the hearing and CFAA reform was already a priority for civil liberties groups.

Situations like Sensenbrenner’s could be handled under other laws, Orin Kerr, professor at the George Washington University Law School, told the subcommittee. For instance, the spy that hacked into a company’s network but didn’t steal anything could be charged for attempted theft, he said. “It’s not a computer-related offense. It just so happens that that offense involves computer-related conduct."

Hacking sentences should carry mandatory minimums, Sensenbrenner said. “Does the administration oppose mandatory minimums as a matter of principle or don’t they think that the crimes that we're trying to describe here deserve mandatory minimums?” he asked. Jenny Durkan, U.S. attorney for the Western District of Washington, said the administration opposes mandatory minimums and prefers to leave discretion to the judge, in addition to Justice’s recommended sentences. “But we'll be happy to work with your staff” on the issue, she said. “I think that we're going to be talking about this issue a lot more as legislation is developed,” Sensenbrenner said.

The U.S. can’t rely on diplomacy to combat cyberthreats, as President Barack Obama has done, Sensenbrenner said. “The administration’s strongest rebuke has been to ask that Beijing take serious steps to investigate” claims that U.S. companies have suffered cyberattacks from Chinese state-run entities. “We applaud the administration for its efforts, but it remains to be seen whether these steps will actually work,” he said. “I think that were going to have to put increased emphasis on our diplomacy,” said Judiciary Committee Ranking Member John Conyers, D-Mich. “The sooner … that we begin to look at this part of the problem, the better off we'll be in terms of getting as much cooperation as we can.” Sensenbrenner said he agrees that diplomacy is important.

Conyers said he would reintroduce his Cyber Privacy Fortification Act, which he sponsored last year. The bill would “create a strong standard for data breach and notification, which doesn’t exist now,” he said. While law enforcement agencies need the flexibility to pursue cybercriminals, it cannot be “at the expense of the privacy of innocent citizens,” he continued. “We must not toss aside existing privacy restrictions to grant the government and law enforcement unwarranted access to communications.” When companies share information about their users with the government, the companies should ensure that the information is stripped of all identifying information about users that is not related to the investigation, he said.

Subcommittee Vice Chairman Louie Gohmert, R-Texas, contemplated reforming the CFAA to allow computer users to counterhack, or defend themselves from a cyberattack by hacking the computer of the hacker. Gohmert compared this potential reform to a self-defense rationalization used in cases of physical assault. Kerr said an exception such as the one proposed by Gohmert should be written narrowly, because hacking victims cannot always be aware of who is hacking them or how much damage counter-hacking would cause. Gohmert said the identity of the hacker or the amount of damage that could be caused should not affect a victim’s ability to defend himself. “I'm not sure that I would care that it destroyed a hacker’s computer completely,” he said. Kerr also encouraged the subcommittee to clarify whether a violation of a website’s terms of service is a criminal offense, as courts have ruled differently on the issue. The issue could be taken to the Supreme Court, “or Congress could act and actually clarify which interpretation of the statute is the right one,” he said.

Law enforcement agencies should treat national security threats and commercial threats differently, said Rep. Trent Franks, R-Ariz., asking Deputy Assistant Director John Boles of the FBI’s Cyber Division how the agency treats the two differently. “One should identify whether it is a national security threat or simply a commercial threat,” Franks said. Boles replied that the agency has “kind of melded the two protocols together,” allowing it to better respond to threats that may be difficult to immediately identify as either commercial or national security related. That approach “makes us a much more nimble law enforcement community,” he said.

Franks said he is concerned that “intentional electromagnetic interference … may be our ultimate cybersecurity threat.” “I would hope that we would have that on the radar,” he said to Boles. “I realize that’s a little ways down the road, but perhaps not as far as it should be,” he continued.

The government should do more to encourage cybersecurity education and research and reform laws to facilitate the real-time sharing of threat information between companies and the government, said Robert Holleyman, CEO of BSA-The Software Alliance. Under existing laws, “you can only do something about it after the fact,” he said. Responding to a question from Rep. Cedric Richmond, D-La., Holleyman was hesitant to comment on whether the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness (PRECISE) Act should be reintroduced. “The president’s executive order has tried to address many of the elements that would have been outlined in the PRECISE Act,” Holleyman said.