On Friday, Facebook revealed that it had been attacked. Company employees had visited a website that had infected their computer with malware; Facebook says it detected the problem, stopped it, and shared information about the attack with others who’d caught the same bug.
On Thursday, the House Intelligence Committee revived the Cyber Intelligence Sharing and Protection Act, which was written to guard against advanced cyber attacks like this one and to enable companies to share information about these threats, as Facebook did. The bill’s reintroduction came just two days after the State of the Union address, in which President Obama announced an executive order to deal with similar issues. The order will open new avenues for the government to share information with the private sector about threats to cyber security.
And CISPA would shield companies from the legal risks of returning the favor by sharing information with the government about cyber risks they’ve detected. The problem with the current bill, critics say, is that it protects companies by weakening existing privacy laws, like if Facebook’s sharing attack details included sharing user information.
The government’s focus on cybersecurity comes as these attacks—often initiated by state intelligence agencies and criminal organizations looking for sensitive information—on US companies continue to increase, stoking worries in the private sector about theft of intellectual property and pushing leaders to pledge to protect it.
“We know foreign countries and companies swipe our corporate secrets,” President Obama said in his address to Congress. Rep. Mike Rogers, the Republican chairman of the House’s Select Committee on Intelligence, said in a hearing Thursday that “some of our most innovative ideas and sensitive information are being brazenly stolen by these cyber attacks.” His ranking member, Democrat Dutch Ruppersberger, wrote in the Baltimore Sun that other countries were going after “our companies’ most valuable trade secrets, threatening US profits, and American jobs.”
The words “intellectual property” do not appear in either the president’s order or the CISPA text. But protecting this information is very much driving the cybersecurity policies coming out of Washington.
What does intellectual property have to do with cybersecurity?
It’s not necessarily obvious that it’s the government’s responsibility to protect against threats to intellectual property as if they were threats to national security. But attacks on private companies have increased and have begun targeting not just credit card numbers or customers’ information, but the research and ideas that make up the core of these companies’ work. In response, the business community and online security experts have been making the case that the federal government has a duty to step in.
John Dowdy, who directs McKinsey’s global defense practice, laid out this argument quite clearly last year in a book chapter called “The Cybersecurity Threat to US Growth and Prosperity.”
“As a rule, government takes stronger action to help companies protect critical national infrastructure than to protect their intellectual property,” he wrote. His reasoning was that this policy was outdated: The pressure of increasing cyber attacks has changed the government’s responsibilities to the corporations operating within its jurisdiction. “Government must… make a shift to recognize that it is responsible not only for the protection of its own assets, but for cybersecurity in the private sector, as well.”
Dowdy proposes a new “security-economic complex,” a modern day parallel to the military-industrial complex, that would strengthen cyber defenses. But there’s an important connection between the need for improved cybersecurity and regular old national security, already—defense contractors are some of the most frequent and high profile targets of these attacks.
In 2011, when the online security company McAfee released a report on intrusions by a single aggressor, 13 out of 71 victims were defense contractors. Only government entities had been more heavily targeted. That same year, Lockheed Martin identified and blocked a “significant” attack. Last year, thieves stole crucial information about the military’s costly F-35, gaining access to the system through military contractors’ networks, The Wall Street Journal reported.
Defense contractors aren’t the only companies that need to defend their intellectual properties against cyber attacks, but they’re the first ones that the federal government started to help. In 2011, the Defense Department rolled out the Defense Industrial Base cyber security pilot project, which allowed the government to hand over information it had identified about potential attacks to defense contractors.
This is exactly the sort of transfer of information that President Obama’s executive order will allow a wider range of companies to benefit from, with more specific, detailed information from the government about cyber threats.
Like the president’s executive order, CISPA would increase information sharing about cyber threats between the public and private sectors. But it would also open a path for information to flow the other way—from private companies to the government. And while the executive order earned praise from groups concerned with Internet privacy, like the Center for Democracy and Technology and the American Civil Liberties Union, CISPA still raises concerns.
“The executive order has to follow current law,” says the Electronic Frontier Foundation’s Mark Jaycox. “If you were to just generalize to a high level, CISPA creates new powers for companies to spy on people and gives them carte blanche to give that information to the government.”
Specifically, CISPA would give companies more legal protections in the eventuality that, in the process of handing over information to the government, they passed along their customers’ personal information, as well. The bill’s sponsors emphasize that this sharing is entirely voluntary—that the government won’t be able to monitor individuals through this program. The privacy groups’ concern is that individuals’ communications and online activities will become a casualty of companies’ desire to have the government help protect their intellectual property.
It’s not clear that CISPA will get any further than it did last year, when it passed the House, earned a veto threat from the president, and stopped cold in the Senate. If the revived bill is to make it into law, it’ll have to avoid a renewed veto threat—lawmakers will have to convince President Obama that the policies they’re proposing not only complement his, but won’t undermine the privacy protections that his executive order made a point of including.
Disclosure: CJR has received funding from the Motion Picture Association of America (MPAA) to cover intellectual-property issues, but the organization has no influence on the content.