American Cyber-Security: The Way Ahead for Civilian Internet Security

Target Home Depot NeimanMarcus hacks  designed to steal personal private citizen info Texas Insider Report: WASHINGTON D.C. This cybersecurity bill now headed for the House Floor is the result of extensive coordination in Congress and months of bipartisan meetings and consultation with industry and privacy advocates. This bill is supported by Republicans and Democrats alike because it protects Americans private information said Cong. Michael McCaul (R-TX) chairman of the House Committee on Homeland Security as it unanimously passed McCauls National Cybersecurity Protection Advancement Act of 2015 to improve cybersecurity.    The legislation encourages voluntary information-sharing about cyber threats between and amongst the private sector and government in order to safeguard Americas digital networks and was co-authored by and Cong. John Ratcliffe (R-TX) chairman of the Cybersecurity Infrastructure Protection & Security Technologies Subcommittee. H.R. 1731 the National Cybersecurity Protection Advancement (NCPA) Act of 2015  passed out of the House Homeland Security Committee by voice vote. Said Cybersecurity & Infrastructure Protection Subcommittee Chairman Ratcliffe:

Securing Americans privacy and the integrity of their personal information is precisely why Congress must act. The National Cybersecurity Protection Advancement (NCPA) Act will enhance the capabilities and relationships that the private sector has worked so hard to develop while establishing procedures to safeguard personal privacy said Ratcliffe. If the private sector does not have access to timely cyber threat indicators the tools tactics and techniques of other attempted intrusions we are putting our homeland in grave danger. The time is now for legislation that protects personal information from cyber intrusions prevents widespread disruption to vital sectors of our economy and safeguards our homeland from ongoing cyber threats Ratcliffe said.

• A bill summary is available HERE.
• A list of amendments and roll call votes is available HERE.
• For additional information visit: http://homeland.house.gov/cyber

On March 17th Cong. McCaul delivered remarks at a Center for Strategic & International Studies (CSIS) Cyber Leaders" event. During his remarks Chairman McCaul announced he would soon release a discussion draft of a new Cybersecurity Bill. We made a lot of progress in 2014 but we still need to remove obstacles to information sharing while simultaneously protecting the privacy interests of Americans said McCaul at the time. This week I am releasing the draft of a new bill that would further enhance the DHS National Cybersecurity and Communications Integration Centers (NCCIC) role as the primary federal civilian interface for the sharing of cyber threat information to enable timely actionable and operational efforts between the federal government and private sector. DHS also has some of the strongest privacy protection mechanisms in the federal government and has the first statutorily established privacy office. Such built-in privacy oversight is an important reason why DHS is the leading civilian interface for these exchanges."

• Text of remarks as delivered is below or is available HERE.

Safeguarding the Digital Frontier: The Way Ahead for American Cybersecurity and Civilian Network

The Honorable Michael McCaul

Chairman of the U.S. House Committee on Homeland Security

Delivered at the Center for Strategic & International Studies (CSIS)

March 17 2015

As a Nation we are finally beginning to grasp the magnitude of the cyber challenges we face particularly as they start to hit home for millions of Americans. Just last month our countrys second-largest health insurance provider Anthem announced it was the victim of an unprecedented cyber intrusion. The attackers gained access to a database holding the sensitive records of 80 million individuals including the names birth dates and social security numbers. In total the personal information of one in four Americans may have been compromised by that cyber attack. Attacks like this are a wake-up call that our cyber adversaries have the upper hand and that the consequences will get worse if we fail to reverse the tide. Today I want to discuss three issues with you including:

1. The scope of the cyber threat our Nation faces;
2. The governments cyber defense role particularly at the Department of Homeland Security and how weve been enhancing it;
3. And finally some of my legislative goals this year to defend American cyberspace against destructive attacks and costly intrusions.

First we must recognize that a silent war is being waged against us in cyber spaceand that we are losing ground to our adversaries. The cyber landscape has shifted quickly. At the dawn of the digital age our nation saw endless opportunities to generate prosperity by expanding our networks and connecting to the world. But today American prosperity depends as much on defending those networks as it does on expanding them. We cannot tolerate acts of cyber vandalism cyber theft and cyber warfare especially when they put our Nations critical infrastructure and secrets at riskand when they compromise American innovation. Yet our cyber defenses have proven weak in the face of agile enemies. As I speak government computer systems are being hacked proprietary data is being stolen from American companies and the computers of private citizens are being compromised. And most of it is being done with impunity. Criminals hacktivists terrorists and nation-states have managed to exploit our networks by staying at the cutting edge of technology.  In the meantime our defenses have lagged behind. These faceless intruders regularly change their tactics and escape justice by masking their identities.  And usually they are operating beyond the reach of U.S. authorities. China North Korea Iran and Russia are among the most advanced of our cyber adversaries but even terrorist groups like ISIS are working to develop or acquire disruptive cyber-attack capabilities. It is obvious that these threats are escalating in sophistication and destructive potential. We are confronting almost daily with frightening new precedents including nation-states launching cyber attacks on our own soil. This happened at least twice in the past year. Director of National Intelligence James Clapper recently revealed that Iran was behind a devastating 2014 cyber attack on Las Vegas Sands Corporation the worlds largest gambling company. And nine months later North Korea used a digital bomb to destroy computer systems at Sony Pictures an attack that was not only destructive but was a cowardly attempt to intimidate Americans and stifle freedom of speech. The impact of cyber intrusions are felt across America from kitchen tables to corporate boardrooms. The recent breach at Anthem illustrates how easy it is for ordinary Americans to become attack victims. This attack followed intrusions at Target Neiman Marcus Home Depot and JP Morgan all of which were designed to steal the personal information of private citizens. But our cyber adversaries are not just seeking to steal Americans identities. They want our security secrets and our innovative ideas.  We were reminded of this over the weekend when the State Department was forced to shut down large portions of its computer systems in an attempt to expel hackers who invaded our diplomatic networks.  They are believed to be tied to a foreign country. Digital espionage extends into the business world.  We know that Chinese hackers for instance continue to breach corporate networks to give their own companies a competitive advantage in the global economy. And states like Iran have targeted major U.S. banks to shut down websites and restrict Americans ability to access their bank accounts. Make no mistake:  such attacks are costing Americans their time money and jobs. In fact General Keith Alexander former director of the National Security Agency has described cyber espionage and the loss of American intellectual property as the greatest transfer of wealth in history." But the threat extends beyond the industrial engines that drive our economy to the critical infrastructure that supports our way of life. Our adversaries are hard at work refining cyber attack capabilities that can shut down critical infrastructure and they want to use these tools to threaten our leaders and intimidate our peoplein both times of peace and times of conflict. A major cyber attack on our gas pipelines or our power grid for instance could cripple our economy and weaken our ability to defend the United States.  These scenarios sometimes sound alarmist but we must take them seriously because they grow more realistic every day. In fact we saw a preview of this in 2012 when Iranian-backed hackers hit Saudi Arabias national oil company Aramco destroying 30000 hard drives and simultaneously hitting our financial sector in the same year. In fact Iran is attempting to infiltrate our financial sector every day. To combat these threats and live up to our obligations to provide for the common defense" our government must take a leading role in securing cyberspace. We cannot leave the American people and our companies to fend for themselves. The digital frontier is still very much like the Wild West.  At this moment there are far more cyber outlaws than convicted cyber-criminalsa clear sign that we have a lot of catching up to do. We are really in uncharted territory. Not since the dawn of the nuclear era have we witnessed such a leap in technology without a clear strategy for managing it. To establish order and defend Americas interests in the digital domain we must map out the rules of the road and clarify responsibilities inside and outside of government. We are not quite there yet.  In fact I would argue that we are in a pre-9/11 moment when it comes to cybersecurity. In the same way legal barriers and turf wars kept us from connecting the dots before the 9/11 attacks the lack of cyber-threat information sharing is leaving us vulnerable to our enemies. Between the government and the private sector we have the information needed to limit cyber threats and stop fresh attacks. But we are not sharing that information. Critical information is not disclosed efficiently enough to stop cyber intrusions before they start or to shut them down once they have. The danger of poor information-sharing is really not a hypothetical its real. This month the head of U.S. Cyber Command Admiral Mike Rogers warned Congress that our adversaries may be leaving cyber fingerprints" on our critical infrastructure to signal their ability to attack our homeland. He believes that before he retires we are likely to see a destructive cyber attack against critical infrastructure. If we are not swapping information about these threats their impact is guaranteed to be more widespread and more severe. But the reality is that 85 percent of critical infrastructure is in the hands of the private sector. Because of this collaboration between the government and industry is vital to homeland security. Admiral Rogers had it right when he said that cybersecurity is the ultimate team sport. No single entityin government or the private sectorcan tackle these threats independently.  Each stakeholder must have skin in the game to prevail against attackers. This is where the unique mission of the Department of Homeland Security comes into play. DHS serves as the primary civilian interface for sharing cyber threat informationand for good reason. DHS was created to stop terrorist attacks after 9/11 by connecting-the-dots and it is well-positioned to do the same to stop cyber attacks. The Departments key tool is the National Cybersecurity and Communications Integration Center or NCCIC which is quickly becoming the tip of the spear for cyber threat information sharing between the government and the private industry. Last year alone DHS estimated that it received nearly 100000 cyber incident reports detected 64000 major vulnerabilities issued nearly 12000 alerts or warnings and responded to 115 major cyber incidents. But we cannot measure its effectiveness in numbers alone. The NCCIC must actually improve and increase information-sharing and to do that it needs to be a trusted partner to the private sector. Its job in doing this is made easier by virtue of the fact that the NCCIC is not a cyber regulator it cannot prosecute you and it is not a spy agency. Its a civilian interface. Accordingly the NCCIC has no authority to do anything more with the information it receives other than use it to prevent and respond to cyber attacks and enhance our cyber posture. During the last Congress I led the efforts to strengthen our cybersecurity foundations including landmark legislation authorizing information sharing at the NCCIC. And we managed to get five key cybersecurity bills passed into law for the first time in the history of the Congress. This is now a starting point for our efforts in this Congress. Importantly we passed legislation supported by both industry and advocates for privacy and civil liberties. It was called a pro-security and pro-privacy bill there are very few bills in Congress that can say that.

First we established a federal civilian interface at the NCCIC to facilitate information sharing across 16 critical infrastructure sectors and with the private sector.

Second we laid down the rules of the road regarding how information is shared.

Third we assured that Americans rights and personal information will remain protected.

Fourth recognizing that human capital will ultimately determine our ability to succeed we positioned DHS to improve its cyber workforce.

And fifth we enhanced the Departments ability to prevent respond to and recover from cyber incidents on federal networks.

This brings me to my cyber agenda for this year. We made a lot of progress in 2014 but we still need to remove obstacles to information sharing while simultaneously protecting the privacy interests of Americans. Right now the lack of liability protection for the private sector is a problem. Companies are hesitant to share information about cyber threats and intrusions that take place in their networks. They fear that doing so could put their customers privacy at risk expose sensitive business information or even violate federal law and the duty they have to their shareholders. As a result the vast majority of cyber attacks go unreported leaving others vulnerable to the same intrusions.  This is an urgent problem that needs to be solved now. The bottom line is clear:  if no one shares everyone is at risk. Distributing threat information should not be punished.  It should be encouraged which is why we need to create legal safe harbors" for companies to be able to exchange this threat information without fear of being sued. Moreover better information-sharing actually improves industrys ability to safeguard our personal data by allowing entities to keep the prying eyes of hackers outside of our digital health records and bank accounts. I am pleased to announce that we are aiming to resolve this dilemma and strengthen our cybersecurity foundations further. This week I am releasing the draft of a new bill that would further enhance the NCCICs role as the primary Federal civilian interface for the sharing of cyber threat information to enable timely actionable and operational efforts between the Federal Government and the private sector. The draft bill would give protections for the voluntary exchange of cyber threat information including government-to-private" and private-to-private" sharing. For instance if a major bank falls victim to a cyber intrusion it would not be held back from sharing details of the attack with either the government or other banks and businessesas long as the sharing is done through the appropriate channels and does not compromise the private information of customers and citizens. Moreover the draft bill would give liability protections for companies to monitor their own information systems and importantly to use defensive measures to prevent intrusions. In the current environment companies do not feel they have the adequate legal protection to take these measures. Were not incentivizing them to be a full participant in the safe harbor and in the NCCIC. Right now we are working with the House Judiciary Committee on crafting a liability exemption standard that addresses these issues and will be used in other cyber information-sharing legislation in the House. With this legislation I also plan to continue our laser-like focus on privacy protections so that information-sharing can be done without risking exposure of personal data. My draft bill would ensure when information about a breach changes handswhether it is provided to the government or exchanged between companiesthat it is thoroughly scrubbed for personal information so Americans do not have their sensitive data exposed. It also would require the NCCIC to destroy any personal information that is unrelated to the cybersecurity risk or incident. I take that issue very seriously. Fortunately DHS has some of the strongest privacy protection mechanisms in the Federal government and has the first statutorily established privacy office.  Such built-in privacy oversight is an important reason why DHS is the leading civilian interface for these exchanges. In fact privacy advocates already have endorsed the NCCICs role as an information-sharing portal. The changes made by this draft bill will increase what we know about digital threats and in doing so will enhance American security. Today we have a dangerous incomplete picture of the cyber weapons being used against us. More rapid and frequent information-sharing about these threats will give us the ability to head off cyber adversaries before they can do more damageboth to the public and to private networks. The President has also proposed steps to enhance liability protection and I was pleased that he did so because it moves the debate and the discussion forward on both sides of the aisle. I would submit though that it does not go far enough on liability protection which is why our bill aims to create more robust liability protections. The Committee on Homeland Security will mark up this bill in the next few weeks. In the meantime we will continue meeting with industry and private groups as we always have to ensure we are getting this right and crafting the best solution to tackle the surge in cyber threats we are all witnessing. Our plan is to take this legislation to the House Floor next month and when we do we will be forward-leaning and eager to reach across the aisle to get it passed. This will be landmark. This will create how we deal with cybersecurity for the next decade. Now is the moment to take action. These threats are not just looming on the horizon. They are not hypothetical theyre real. They are already inside our networks and they are putting our security and prosperity in peril. Safeguarding the digital frontier is one of the leading national security challenges of our time and our generation will not back down from that challenge. It is clear that we have been losing ground against our adversaries in cyberspace.  But better cyber threat information sharing will help us turn the tide and defend our networks against destructive intrusions.