On Friday, Facebook revealed that it had been attacked. Company employees had visited a website that had infected their computer with malware; Facebook says it detected the problem, stopped it, and shared information about the attack with others who’d caught the same bug.
On Thursday, the House Intelligence Committee revived the Cyber Intelligence Sharing and Protection Act, which was written to guard against advanced cyber attacks like this one and to enable companies to share information about these threats, as Facebook did. The bill’s reintroduction came just two days after the State of the Union address, in which President Obama announced an executive order to deal with similar issues. The order will open new avenues for the government to share information with the private sector about threats to cyber security.
And CISPA would shield companies from the legal risks of returning the favor by sharing information with the government about cyber risks they’ve detected. The problem with the current bill, critics say, is that it protects companies by weakening existing privacy laws, like if Facebook’s sharing attack details included sharing user information.
The government’s focus on cybersecurity comes as these attacks—often initiated by state intelligence agencies and criminal organizations looking for sensitive information—on US companies continue to increase, stoking worries in the private sector about theft of intellectual property and pushing leaders to pledge to protect it.
“We know foreign countries and companies swipe our corporate secrets,” President Obama said in his address to Congress. Rep. Mike Rogers, the Republican chairman of the House’s Select Committee on Intelligence, said in a hearing Thursday that “some of our most innovative ideas and sensitive information are being brazenly stolen by these cyber attacks.” His ranking member, Democrat Dutch Ruppersberger, wrote in the Baltimore Sun that other countries were going after “our companies’ most valuable trade secrets, threatening US profits, and American jobs.”
The words “intellectual property” do not appear in either the president’s order or the CISPA text. But protecting this information is very much driving the cybersecurity policies coming out of Washington.
What does intellectual property have to do with cybersecurity?
It’s not necessarily obvious that it’s the government’s responsibility to protect against threats to intellectual property as if they were threats to national security. But attacks on private companies have increased and have begun targeting not just credit card numbers or customers’ information, but the research and ideas that make up the core of these companies’ work. In response, the business community and online security experts have been making the case that the federal government has a duty to step in.
John Dowdy, who directs McKinsey’s global defense practice, laid out this argument quite clearly last year in a book chapter called “The Cybersecurity Threat to US Growth and Prosperity.”
“As a rule, government takes stronger action to help companies protect critical national infrastructure than to protect their intellectual property,” he wrote. His reasoning was that this policy was outdated: The pressure of increasing cyber attacks has changed the government’s responsibilities to the corporations operating within its jurisdiction. “Government must… make a shift to recognize that it is responsible not only for the protection of its own assets, but for cybersecurity in the private sector, as well.”
Dowdy proposes a new “security-economic complex,” a modern day parallel to the military-industrial complex, that would strengthen cyber defenses. But there’s an important connection between the need for improved cybersecurity and regular old national security, already—defense contractors are some of the most frequent and high profile targets of these attacks.
In 2011, when the online security company McAfee released a report on intrusions by a single aggressor, 13 out of 71 victims were defense contractors. Only government entities had been more heavily targeted. That same year, Lockheed Martin identified and blocked a “significant” attack. Last year, thieves stole crucial information about the military’s costly F-35, gaining access to the system through military contractors’ networks, The Wall Street Journal reported.
Defense contractors aren’t the only companies that need to defend their intellectual properties against cyber attacks, but they’re the first ones that the federal government started to help. In 2011, the Defense Department rolled out the Defense Industrial Base cyber security pilot project, which allowed the government to hand over information it had identified about potential attacks to defense contractors.
This is exactly the sort of transfer of information that President Obama’s executive order will allow a wider range of companies to benefit from, with more specific, detailed information from the government about cyber threats.