Cyber-Legislation Bill Approved by House, Senate Prepares Its Own
WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
Federal law enforcement officials expect cyber-espionage, hacktivists and cyber-attacks to soon surpass traditional terrorism as the No. 1 threat facing the United States, according to Congressional testimony.
"Stopping terrorists is the No. 1 priority," Robert Mueller, director of the Federal Bureau of Investigation told the Senate Select Committee on Intelligence Feb. 1. "But down the road, the cyber-threat will be the No. 1 threat to the country. I do not think it is necessarily the No. 1 threat, but it will be tomorrow.
The U.S. Director of National Intelligence James Clapper urged the U.S. House of Representatives and the Senate to pass legislation to increase cyber-security in both the public and private sectors during a hearing of the House Select Intelligence Committee on worldwide threats on Feb. 2. Clapper discussed intrusions on public systems that control major defense weapon systems, electrical grids and banking infrastructure. The U.S. economy is losing upwards of $300 billion per year because of rampant cyber-espionage, Clapper said.
Perhaps Mueller is right to be nervous. The hacktivist collective Anonymous released audio transcripts on YouTube of a 16-minute call between the FBI and Scotland Yard where law enforcement officials discussed several Anonymous- and LulzSec-related cases on Feb. 3. The FBI and British police have confirmed that the transcripts are legitimate and said they are investigating.
Anonymous had access to one of the call participants' email accounts and had intercepted an email containing the dial-in information and passcode for the trans-Atlantic phone call, an Anonymous member bragged on Twitter.
"The #FBI might be curious how we're able to continuously read their internal comms for some time now. #OpInfiltration," AnonymousIRC wrote on Twitter.
The email invitation for the Jan. 17 conference call had been sent to 44 government officials and members of the law enforcement community, including FBI's cyber-crime-specialist counterparts in the French government, London's Metropolitan police, representatives from the European Union criminal intelligence agency Europol, the Swedish government and the Netherlands, according to a post on the text-sharing site Pastebin.
Congress is making some movements toward a comprehensive cyber-legislation.
The House Homeland Security Subcommittee on Cyber-Security, Infrastructure Protection and Security Technologies marked up the cyber-security bill sponsored by Rep. Dan Lungren (R-Calif.) and unanimously approved it Feb. 1. Lungren's Promoting and Enhancing Cyber-Security and Information Sharing Effectiveness Act (PRECISE) calls for creating a nonprofit National Information Sharing Organization that would collect cyber-security threat information and allow the industry to voluntarily share the data with the government. The NISO umbrella would make private firms and government agencies exempt from privacy laws that prevent data sharing, so long as they share the information only for cyber-security purposes.
The bill also identified the Department of Homeland Security as the lead federal agency for securing networks operated by civilian government and private sectors. The bill also does not give the government an "Internet kill switch" or authority to limit Internet traffic in case of an emergency.
ISPs and other operators need "clearer legal authority" to share signatures and other information about suspected attacks with each other and with the government, wrote Greg Nojeim, senior counsel at the Center for Democracy and Technology, on the CDT blog. A private nonprofit organization would pose far fewer privacy risks than an information-sharing hub run by the government, according to Nojeim.
The Senate has plans to present its version of the cyber-security bill for markup by Feb. 17. The Senate bill is rumored to also put the Department of Homeland Security in charge, but the agency would also have the authority to create security rules for the private sector to follow, and punish companies that do not comply with the rules. The Department of Homeland Security would decide which companies it would be able to regulate but would select those with systems whose "disruption could result in the interruption of life-sustaining services, catastrophic economic damage or severe degradation of national security capabilities," according to a summary of the bill.
As much as 85 percent of the country's critical infrastructure is controlled by the private sector.
"Where the market has worked, and systems are appropriately secure, we don't interfere," said Sen. Joseph Lieberman (Ind.-Conn.), chairman of the Senate Homeland Security and Governmental Affairs Committee. "But where the market has failed, and critical systems are insecure, the government has a responsibility to step in," Lieberman said.