Online espionage has become a common threat for US corporations. FBI Director Robert Mueller says, "There are only two types of companies, those that have been hacked and those that will be."
The problem for companies is serious and goes beyond espionage by competitors and foreign governments. Cleanup costs can be expensive and disclosure can subject companies to civil liability.
Until now, the federal government has addressed cyber threats through disparate initiatives, including DHS and sector-specific federal agencies critical infrastructure protection, CFIUS, GSA procurement regulations for government contractors, Commerce Department NIST standards and State Department CISADA sanctions, coupled with parallel congressional investigations. Recognizing that disparate initiatives won’t work, the agencies and Congress have begun to structure a comprehensive coordinated cybersecurity program in which private companies will be expected to participate.
Cybercriminals break into computer systems to engage in an array of crimes – stealing intellectual property, or accessing confidential personal data, such as credit card and social security numbers. Following a data breach, one company incurred a cleanup cost of US$170 million – such costs are not unusual. And companies that experience data security breaches are exposed to civil liability as a result. As companies have become more aware of these concerns, they have been hardening their defenses against cyber attacks.
Cybersecurity is not limited to Internet-related threats. It also includes threats that are perpetuated through the supply chain. The US-China Review Commission reports: "The pervasiveness of globally distributed supply chain networks means that virtually every sector of private industry has the potential to be impacted by a compromise."
Though there is consensus that cybersecurity requires urgent attention, there has not been uniform agreement within the US government about how to address the threat of cyber attacks; and there are substantial legal and procedural gaps in the government’s ability to assure cybersecurity. Federal agencies and congressional committees with competing jurisdictions have proposed remedies that are disparate and even at odds with each other. Meanwhile, there is consensus that companies in the private sector, as owners of most communications networks, must be engaged by the government in the cybersecurity effort.
CFIUS: threshold source of jurisdiction
The context in which the government most frequently has asserted dependable jurisdiction to address the threat of cyber attacks has been the Committee on Foreign Investment in the US (CFIUS) process. When telecom systems suppliers have proposed foreign mergers or acquisitions, by way of example, the government either has rejected the proposed transactions or has conditioned them upon the completion of reliable mitigation agreements that promote cybersecurity. However, outside the purview of CFIUS, the government’s authority to approve or disapprove activities or transactions has been less clear. Indeed, the government has come to recognize that, with federal agencies whose jurisdictions vary and at times overlap, it lacks the cohesion even to share reliable information on an inter-agency basis about cyber threats.
Agencies independently promote interim solutions
In the absence of a centralized, coherent government process, various government agencies have tackled the issue, for instance, by imposing procurement rules on government contractors with the goal of shielding precious technology and intellectual property. Alongside CFIUS actions, the government has actively discouraged the use of Chinese suppliers in the construction of at least one major telecom system; and the Commerce Department has disqualified at least one Chinese supplier from the new nationwide first responders’ network. The Department of State recently advised at least one foreign telecom equipment supplier that it may be subject to sanctions under CISADA for activities in Iran. The Commerce Department has been working to develop standards to reduce supply chain risk management (the NIST proposal). In parallel, GSA has been working on improvements in procurement regulations.
Enhanced agency coordination: designing a centralized government approach
More recently, however, the Administration and Congress have set about the task of designing a centralized approach. Concern about the threat of cyber attacks has led the Administration to initiate a multi-agency review led by John Brennan, President Barack Obama’s principal counterterrorism advisor. That review is ongoing and will not be completed until later this year. Meanwhile, responsible federal agencies have been meeting regularly to improve inter-agency cooperation; and some tangible improvements have been registered, though jurisdictional competition still remains.
Congress is acting now
Congress has taken an active role as well, and multiple congressional committees are asserting jurisdiction over cybersecurity issues. The House Intelligence Committee has undertaken an extensive investigation with respect to the use of Chinese equipment in the US telecom system. The House Energy and Commerce Committee is conducting a parallel investigation with assistance from the General Accountability Office.
The Administration has proposed legislation and has been conducting classified briefings to persuade members of Congress that cybersecurity legislation is urgently needed and should not be delayed for political or procedural reasons. Two competing Senate bills have been introduced to require or encourage private sector information sharing and cooperation with the government. One Senate bill relies on mandatory regulation; the other relies on discretionary cooperation. Both bills provide, in varying degrees, for protection against civil and criminal liability; and one bill provides for relaxation of antitrust prohibitions against private sector information sharing. Two bills already have been introduced in the House and more may follow, with floor consideration as early as mid-April.
Recently, the US Attorney for the Southern District of New York filed charges against a group called LulzSec, which is alleged to have stolen confidential information involving many thousands of customer accounts. The FBI has pursued members of Anonymous, and 16 individuals have been arrested and charged in more than ten states in connection with this investigation.
Engaging the private sector
Even in the midst of competing jurisdictions and policies, the Administration and Congress agree on one proposition. Whatever the government is doing will not suffice unless the private sector is engaged effectively to share information and to play an active role in assuring cybersecurity. Speaking to the RSA Computer Security Conference in San Francisco, Director Mueller said the FBI needs private sector help to combat cyber threats.
The Administration has begun meeting with companies around the country to share threat information and to describe the Administration’s efforts and engage private sector participation. Whether the private sector is engaged through mandatory regulation or through cooperative efforts, there is no doubt that the government is determined to enter into a partnership with the private sector to promote cybersecurity.
Companies have begun voicing concerns. Examples: Will my company be regulated? What will new regulations require from my company? Who will be my regulators? What new compliance obligations will be required of my company? Will companies be subject to penalties for noncompliance? What potential new liabilities will my company face? What will the government do with information provided by my company? The answers to these and other questions will affect private businesses in every sector.
For more information about the impact of accelerating government action on your company, please contact: