Rep. Mike Rogers (R-MI) and Rep. Dutch Ruppersberger (D-MD) know a secret: The Federal government is REALLY good at watching people, much better than, say, the private sector. So they asked themselves (at least they did in my mind), "Why not share some of that information in order to protect American businesses from the ubiquitous cyber-security threat?"
Hey guys…that’s a damn good idea!
Seriously, I thought it was a great idea. So it was with a good deal of enthusiasm that I printed out H.R. 3523, or to use its more sexy name, the “Cyber Intelligence Sharing and Protection Act of 2011”. There are only 11 pages, a lot of it standard language stuff, but it essentially lays out that the governement can share with the private sector and vice versa. Of course, it's never that simple. For example, the NSA can only share with cleared organizations that can demonstrate they know how to handle classified information.
There is also the small matter of the following statement from the proposed legislation: "classified cyber threat intelligence may only be … shared consistent with the need to protect the national security of the United States.” Which, of course, leaves one giant question: What, exactly, constitutes a threat to national security?
There are, of course, the obvious…terrorists, nuclear proliferation, hostile foreign nations, and the like. But that isn’t what Rogers and Ruppersberger are thinking here. They are, according to Mike Rogers, targeting “economic predators, including nation-states, [that] are blatantly stealing business secrets and innovation from private companies.”  So we aren’t talking missiles, bombs and airplanes, we’re talking, potentially, about contract negotiations, natural resource surveys and customer lists.
A recent report  by the Office of the National Counter Intelligence Executive (ONCIX) states that “Losses of sensitive economic information and technologies to foreign entities represent significant costs to US national security.” Clearly, this administration, and apparently this congress, are adopting the position that jacking with U.S. companies jacks with the national security. Given the nature of the world today, I think they're right to do so.
I know...I'm not well known for staunchly backing the ideas of legislators or administrators. You wouldn't be blamed for thinking I’m a cynical, pessimistic nutter who lived by himself in a wooden hut, eating nothing but pickled ginger and gummy bears while spending his day ranting about the overly generous nature of most computer networks. But this time -- and I do have trouble saying this -- I think they’re on to something. The private sector just isn't in a position to match the federal government's ability to generate intelligence. In fact of all the things the government could provide in the forms of mandates, laws, policies, rules, reporting requirements, CISSP factories, etc... intelligence is really the only thing that makes sense. It's the only thing that they can provide that industry can't legitimately generate itself. I think this is a really good piece of legislation.
Of course, there are lots of ways to screw it up, and I'm sure that some of those ways will be found. But if we get into the habit of having the government share information and letting organizations figure out how to act on the information, we'll be headed down a very good path.
 And nothing in this blog post would prove you wrong…