Cyber Attack on U.S. Chamber Pressures Congress to Speed Web Rule Rewrite

A cyber attack on the U.S. Chamber of Commerce will intensify pressure on Congress to overhaul Web security regulations written before the existence of Facebook Inc., Twitter Inc. and Google Inc. (GOOG)’s Gmail.

Concern that computer systems for banks, power companies and Internet providers are vulnerable rose after hackers with ties to China stole confidential e-mails and documents from the chamber, the biggest U.S. business lobbying organization.

“Congress and the administration have been dithering over cybersecurity for years,” said Stewart Baker, a former assistant secretary for policy at the Homeland Security Department and a partner at the Steptoe & Johnson LLP law firm in Washington. “In that time, American companies have been robbed blind. This does underline, if any underlining is necessary, that we need a strong cybersecurity bill.”

Senate Majority Leader Harry Reid plans to take up cybersecurity legislation as early as next month to rewrite rules set after the terrorist attacks of Sept. 11, 2001. A U.S. report released last month found that China was the biggest hacker threat to American firms, and those attacks breached the networks of at least 760 companies.

The chamber breach, confirmed by the organization yesterday, shows that even House and Senate members may be vulnerable to foreign hackers, said Jessica Herrera-Flanigan, a former staff director for the House Homeland Security Committee, in an interview.

“This latest compromise should especially be of concern as the hackers potentially could have gotten hold of sensitive and strategic e-mails to and from the chamber and these officials,” said Herrera-Flanigan, who’s now a partner at Monument Policy Group in Washington.

Spy Versus Lobbyist

The chamber, representing more than 3 million members, said yesterday that communications with fewer than 50 of its members were affected by the 2010 attack. It said it hasn’t seen evidence of harm to members or the organization. The security breach was first reported by the Wall Street Journal.

Republican Representatives Peter King of New York and Dan Lungren of California, and Independent Senator Joseph Lieberman of Connecticut, all sponsors of cyber protection bills, said the latest attack shows the need for such legislation.

“Reports like this should serve as a reminder of how important it is for the federal government to secure its networks,” King said in a statement.

Social Network Hackers

New legislation would update a 2002 law that created the Homeland Security Department, predating social media sites that security firms such as Symantec Corp. (SYMC) say are targets.

Hackers exploit some social-networking sites where Web users often let down their guard, according to Symantec.

The company issued 10 million updates and recorded 3.1 billion malware attacks last year, up from about 20,000 software updates in 2002, said Cris Paden, a spokesman for Symantec.

Two House bills are aimed at protecting critical systems and improving the sharing of classified cyber-threat data between companies and government.

One, H.R. 3674, introduced Dec. 15 by Republicans Lungren and King, who leads the Homeland Security Committee, lets the Homeland Security Department identify and suggest ways to thwart the biggest risks.

Preventing Cyber Attacks

The regulators of specific industries -- not the homeland security agency -- would have primary responsibility for writing rules governing cybersecurity operations in their areas, Lungren said in a statement.

The bill creates a U.S. information-sharing organization as a clearinghouse for the government and companies to exchange cyber-threat data. The measure authorizes $10 million in annual government funding for three years to start the organization, Lungren said.

The second House bill, H.R. 3523, was introduced Nov. 30 by Representatives Mike Rogers, a Michigan Republican who leads the House Intelligence Committee, and C.A. “Dutch” Ruppersberger of Maryland, the panel’s top Democrat.

The bill would give companies protections from lawsuits when they tell the government about attacks against their networks, while the government could provide companies with classified cyber-threat data.

Data that companies give the government would be exempt from Freedom of Information Act requests and couldn’t be used by the government to mandate regulations, according to the bill.

“Protecting critical infrastructure won’t happen spontaneously -- there is no business case for it and the market will never deliver,” said James Lewis, director of the technology and public policy programs at the Center for Strategic and International Studies, in an e-mail. “That’s why we need legislation or we’ll wake up some day to find that the lights don’t work.”

To contact the reporter on this story: Chris Strohm in Washington at cstrohm@bloomberg.net

To contact the editor responsible for this story: Steve Walsh at swalsh@bloomberg.net

Enlarge image

Cyber Attack on Chamber Presses Congress to Fix Web Rules

Ken Cedeno/Bloomberg

“Congress and the administration have been dithering over cybersecurity for years,” said Stewart Baker, a former assistant secretary for policy at the Homeland Security Department and a partner at the Steptoe & Johnson LLP law firm in Washington.

“Congress and the administration have been dithering over cybersecurity for years,” said Stewart Baker, a former assistant secretary for policy at the Homeland Security Department and a partner at the Steptoe & Johnson LLP law firm in Washington. Photographer: Ken Cedeno/Bloomberg