House Republicans Planning CISPA Reintroduction ‘Very Soon,’ Says Rogers

The U.S. is engaged in a cyberwar “and we are losing,” said House Intelligence Committee Chairman Mike Rogers, R-Mich., during a speech at the NARUC conference in Washington Wednesday. He said it was “shameful” that Congress failed to pass the Cyber Intelligence Sharing and Protection Act (CISPA) and said it’s “absolutely critical” that Congress act this year: “We are absolutely under siege and we are fooling ourselves if we think we don’t have a problem.” White House Senior Director for Cybersecurity Andy Ozment threw cold water on Roger’s cybersecurity approach during a subsequent speech at the event and said baseline industry cybersecurity standards are required to stop most of the cyberattacks.

Rogers told reporters that “very soon” he plans to reintroduce a cybersecurity bill that will be “very close” to CISPA “which passed the House of Representatives in a bipartisan way.” Forty-two Democrats voted for CISPA. It’s based on the concept that most cyberattacks can be prevented by sharing cyberthreat information in a classified way with the private sector, he said. Rogers would not detail any specific legislative changes he planned for the bill, but said he’s “listening to anybody that has a good idea to get it done.” He said he expects the Judiciary, Homeland Security, Intelligence and other committees which share jurisdiction over cybersecurity to work on the legislation “throughout the year.”

Rogers said he’s optimistic that a House cybersecurity bill would advance this Congress despite the Senate’s reluctance to take up CISPA last session. “We think we can find some common ground with the Senate on information sharing,” Rogers said. Last Congress Senate Majority Leader Harry Reid, D-Nev., refused to consider CISPA or the Senate SECURE IT Act, which primarily focused on increasing cyberthreat information sharing between the private and public sector. Recent high-profile cyberattacks against U.S. media and financial companies are beginning to wake people up, Rogers said.

Three countries -- Russia, China and Iran -- currently pose the biggest cyberthreat to America, said Rogers. Russia is the “most sophisticated” of the group, China is actively stealing U.S. intellectual property in order to gain economic advantage, and Iran is “absolutely” capable of making a “non-rational decision,” he said. Rogers blamed Iran for the August cyberattack that rendered useless 30,000 computer systems used by the Saudi Arabian state oil company Aramco. The cyberattack, called “Shamoon,” included a wiper that replaced critical computer files with an image of a burning U.S. flag and overwrote the remaining data on each of the computers. Rogers said if the attack had been more successful it could have shut down communications to “very large swaths of the economy” in and out of the region. His comments echoed recent remarks from Defense Secretary Leon Panetta, who said the Shamoon virus was “probably the most destructive attack that the private sector has seen to date” (CD Oct 15 p8) .

Rogers said he didn’t believe cellphones were secure enough to safely conduct financial transactions. “I don’t know about you but I am nowhere close to letting my phone be my credit card,” he said. “It is incredibly vulnerable.”

Lawmakers are working to craft cybersecurity legislation in a way that avoids a veto from the executive branch, said Rogers. The White House has had “some personnel changes that we've found encouraging,” he said. “At the end of the day this is a balance between what privacy groups want and what is necessary for America to protect its own networks.” Last year the White House threatened to veto the bill due to its lack of privacy provisions and protections for core critical infrastructure.

Ozment told NARUC that the White House continues to prepare a cybersecurity executive order because the nation “can’t wait” for Congress to pass cybersecurity legislation. “We are exploring ways for executive branch departments and agencies to more effectively secure the nation’s critical infrastructure through sharing information and working collaboratively with the private sector to develop and implement better cybersecurity practices,” he said. He would not say when the White House plans to issue the order.

The cybersecurity executive order will not create new powers or authorities for any government agency, said Ozment; rather it’s an “expression of the president’s strategic intent, it’s guidance to departments and agencies expressing what the president wants done and giving them direction.” The forthcoming order is not a substitute for legislation, he added: “We need comprehensive cybersecurity legislation -- we cannot do everything under existing authorities.” Ozment said the government needs to share more information with industry, but failing to ignore basic cybersecurity standards for the nation’s critical infrastructure is unacceptable. “Information sharing alone is not sufficient to address the threat. If you don’t have basic hygiene, no amount of information sharing will protect your systems from determined adversaries,” he said.