The US Senate will vote this week on a watered-down version of a cyber-security bill designed to prod American companies to do more to keep the nation’s economy and infrastructure safe from hostile hackers.
The bill, which would put in place a voluntary program for American companies to follow, that in exchange would give them access to help from the US government, is a step back from the mandatory new rules that Senate supporters had hoped to impose on American companies.
Partly, that’s a result of resistance from the US Chamber of Commerce and other business groups, who don’t like the idea of burdensome new federal regulations on companies.
The Chamber’s Matthew Eggers, noting that the business group supports two rival measures, said in a blog post to be posted Monday, “If Congress wants to encourage businesses to enhance their cyber-security for the public good, which is a worthy goal, then it should offer businesses some legitimate carrots—and not use incentives as a thinly veiled way to regulate the business community.”
But in a recent interview with CNBC, former National Security Agency director and former Director of National Intelligence Mike McConnell said that companies aren’t even reporting the attacks that do happen, let alone doing enough to prevent new attacks.
“There are probably millions of attacks per day, and I would say most of them are unreported,” McConnell said.
What’s more, he said, current law prevents American intelligence agencies from sharing classified information with corporate America, even though US intelligence can often tell when companies have been hacked and what specifically has been stolen.
“If we collect and we have it available, it's classified,” said McConnell, who is now a vice chairman at the consulting firm Booz Allen. “The U.S. intelligence community has information that is of potential value to every corporation in the country. And what we need to do as a nation is find a way to share that information.”
What McConnell would like to do is “provide a framework to share that information, share it in a way that it can be protected. But at the same time, corporate America can use that information to protect themselves from these hostile penetrations.”
The bill being debated this week does just that. It would allow US intelligence agencies to share classified “cyber security threat indicators” with “certified entities,” in order to protect the national security of the United States, and even to grant security clearances on a “temporary or permanent basis” to employees of companies the government wants to let in on its secrets.
McConnell says American companies need to wake up to a danger that he says threatens US global economic dominance. “Information is being extracted from the U.S. every day at the terabyte level,” he said. “We've never examined a major corporation where we didn't find penetration.”
And the cost of all that lost technological and business knowledge, he said, is “hundreds of billions of dollars, and certainly millions of jobs.”
As a vice chairman at Booz Allen, McConnell has a vested interest in laying out the cyber threat – his company provides consulting and cyber security services to its corporate clients.
And even much smaller security consulting companies are seeing a boost to their bottom lines from cyber security.
Former Delta Force Lt. Col. James Reese, CEO and co-founder of North Carolina based security consulting firm TigerSwan, says he’s making a big push into information technology – a big switch for a company known more for live fire exercises than wireless security.
“In the last two years, we’ve moved almost 50 percent of our business away from federal government work towards the corporate world, Reese says. “And a lot of that has pushed into cyber.”
The Senate’s cyber security bill, introduced last week by Sen. Joe Lieberman (I-Conn.) and others, is far from a sure thing – critics on the right, such as the US Chamber of Commerce, worry that it imposes too many burdensome new regulations on American companies. And on the left, many worry that the information sharing provisions are represent a threat to Internet user privacy.