Last Friday, U.S. Representative Mike Rogers (R-Mich.) outlined the main points of a bill, which if signed into law would require the federal government and private companies to share information about online threats.
Rogers, who is chairman of the House Permanent Select Committee on Intelligence, along with Intel Chief Executive Paul Otellini spoke with the media following an invitation-only panel discussion. The event, titled “Leveraging Private Sector Drive and Innovation to Improve U.S. Cybersecurity,” was organized by Stanford’s Center for International Security and Cooperation (CISAC). In addition to Rogers and Otellini, members of the panel included Stanford Law Professor and CISAC co-director Mariano-Florentino Cuellar, Representative Anna G. Eshoo (D-Calif.), Vice President for Security Engineering at Google Eric Grosse, Oracle’s Chief Corporate Architect Edward Screven and Cisco’s Security Group Leader Chris Young.
House Bill H.R. 3523, called the Cyber Intelligence Sharing and Protection Act of 2011, would require the Director of National Intelligence to create a way for the government to share information about online threats with private companies. The government would also be required to encourage private companies to share their own information with the national government. The bill, which awaits a house vote later this year, comes on the heels of reports of cyber hacking originating from outside the United States against U.S. government computers including the Pentagon’s.
“The intelligence community believes strongly that it’s just a matter of time before we have a catastrophic cyber attack,” Rogers said. “We have admired this problem for a very long time, and it is time to do something.”
Otellini said he supports the law because it is easy to carry out and will improve the online security environment, which also now includes cellular phones.
“It’s a great first step; it’s very implementable,” Otellini said. “It simply says: the government has information. They can share it with private industry privately. We can take advantage of that to improve our products and protect our customers.”
Rogers said the passage of this law would not allow for government officials to legally look for personal information.
“The language that we strengthened was to say that this information can only be used for national security purposes,” he added. ”Nobody can go phishing. You can’t have an IRS agent going in and saying, ‘Gee, we’d like to find out if somebody hasn’t been paying their taxes.’ All of that cannot happen.”
The bill would exempt legal action against companies that while sharing information disclose personal information. Doubts about the government’s ability to protect the information of private people remain. The American Civil Liberties Union expressed disapproval of the proposed law.
“An important challenge in the years ahead for the government is convincing the public that it can handle sensitive information such as what might be shared by private sector entities under a bill like this,” Cuellar wrote in an email to The Daily. “Courts, legislative oversight and internal auditors within the executive branch such as inspectors general could play an important role in that process.”
Cuellar remarked that policymakers around the world are becoming more interested in the issue of cybersecurity. This is one reason for CISAC’s increased involvement in this area of study.
“As with national security and criminal justice problems more broadly, the choices we make to secure cyberspace will have far-reaching effects on our lives,” Cuellar wrote. “Americans should recognize that the stakes here are partly about the safety and security of computer networks, but also about identity management and privacy, international cooperation and the role of the public sector.”
In addition to his visit to Stanford, Rogers said he planned to meet with the leaders of tech companies in the area. He declined to state which companies he intended to visit.