Lawmakers: Leaks slowed cybersecurity legislation

The disclosures of classified surveillance programs by former National Security Agency contractor Edward Snowden have further slowed the already ponderous process of passing cybersecurity legislation, and also put U.S. commercial networks at increased risk of attack, the bill's top sponsors said Sept. 12.

Rep. Mike Rogers (R-Mich.), chairman of the House Intelligence Committee, said that "misperceptions" created by media reports based on documents leaked by Snowden  have slowed  efforts to advance the Cyber Intelligence Sharing and Protection Act (CISPA), which the House passed in April.

"We've had great conversations with the Senate. They haven't given up on it. We think that [they] will make a few changes and maybe, hopefully, get a bill sent to the president," Rogers said at the Intelligence and National Security Alliance (INSA) conference in Washington, D.C.

Rep. Dutch Ruppersberger (D-Md.), ranking member on the committee, sounded slightly more pessimistic, saying the bill was currently stalled in the Senate. "We're trying to work on that," he said, appearing on the same stage as Rogers.

CISPA would create a framework for information sharing on cyberthreats between industry and government. The bill is a reworking of a 2011 version that drew considerable criticism from privacy advocates. The latest iteration includes provisions designed to place limits on what the government could do with personal information received as part of threat reports from private industry.

However, news reports of National Security Agency programs designed to collect and retain bulk phone metadata records from telecommunications carriers and details of Internet activity from private firms have significantly reduced the appetite for new cybersecurity legislation. Instead, some legislators on both sides of the aisle are looking for ways to curb the authority of the NSA to collect information.

Rep. Justin Amash (R-Mich.) sponsored an amendment to the Defense authorization bill that would have banned the NSA from storing bulk phone metadata records. The proposal was narrowly defeated. Rep. Rush Holt (D-N.J.) introduced legislation that would roll back some spying authorities granted to the government under the Patriot Act and the Foreign Intelligence Surveillance Act.

Despite the relationships with commercial firms detailed in news reports, the intelligence community still faces a gap when it comes to observing cybersecurity threats faced by private networks, according to senior officials who spoke at the INSA conference.

"We need to have partnerships with industry. We need to understand what is going on within not just our own networks but the nation's networks," Rear Adm. Sean Filipowski, director of intelligence at U.S. Cyber Command, told a panel at the INSA conference.

At a separate panel, Michael Werthheimer, director of research at NSA, said, "You need a legal framework to protect that sharing of information."

Rogers raised the specter of a possible cyberattack on U.S. networks by the Syrian Electronic Army, should the United States pursue military options against Syria. "There are huge vulnerabilities in the private sector system," Rogers said. Without real-time information sharing, the private sector would lack the ability to protect their networks.

The lack of visibility into private-sector networks prevents the intelligence community from getting a top-down view of cyberthreats, said Jim Richberg, deputy national intelligence manager for cyber at the Office of the Director of National Intelligence. "What we definitely need if we're going to produce a holistic view of cyberthreats from an intelligence perspective is finding a way of doing this as a fused, partnered product and process."

That does not necessarily mean that information is not already being shared between private industry and government with regard to network vulnerabilities and threats.

Werthheimer said that in the case of a major flaw in a device or in a piece of important software, the NSA is able to reach out to employees with security clearances at affected companies and discuss how to remediate the problem.

"When you get software updates at home, sometimes major updates you got at home came from NSA," Werthheimer said. "That's part of the role we have to play."