Cyber Bills Called Not Enough to Protect Vulnerable U.S.

Proposed legislation in Congress doesn’t go far enough to improve U.S. security against cyber spying and potentially crippling hacker attacks, a former U.S. national intelligence director said.

None of the measures lawmakers are debating authorize mandatory sharing of real-time cyber threat information between government and industry, a process needed to improve the nation’s digital defenses, Mike McConnell said at a Bloomberg cybersecurity conference in New York yesterday.

Hackers and illicit programmers in China and Russia are pursuing American technology and industrial secrets, jeopardizing an estimated $398 billion in U.S. research spending, according to a November report by the National Counterintelligence Executive, which is responsible for countering foreign spying on the U.S. government.

The existing legislation is “necessary but insufficient,” McConnell, now a vice chairman of McLean, Virginia-based Booz Allen Hamilton Holding Corp. (BAH), said at the conference sponsored by his company.

“In looking at corporate America, we haven’t been able to find a single corporation that cannot be penetrated to the point of capturing the most essential information,” he said. He called China the “most prolific” of nation-states trying to capture and steal U.S. intellectual capital.

Bills supported by Republicans and some Democrats would encourage voluntary sharing of threat information, while legislation backed by President Barack Obama’s administration would direct the Homeland Security Department to set cyber standards for critical U.S. infrastructure such as power grids or chemical plants.

Cyber Espionage

Lawmakers are debating cybersecurity legislation following assaults on companies last year including New York-based Citigroup Inc. (C), the third-largest U.S. bank by assets, and Bethesda, Maryland-based Lockheed Martin Corp. (LMT), the world’s largest defense company.

Cyber espionage aimed at stealing U.S. intellectual property is “constantly happening,” Frank Montoya, the U.S. National Counterintelligence Executive, said at the conference. “Technology has really, in many respects, leveled the playing field when it comes to our competitors.”

Montoya’s office in November called China the world’s biggest perpetrator of economic espionage in a report that said the theft of sensitive data in cyberspace is accelerating. Targeted areas include pharmaceuticals, information-technology, military equipment and advanced materials and manufacturing processes, the report said.

Data Sharing

A central piece of cybersecurity legislation in the House would encourage voluntary sharing of cyber-threat information by giving companies immunity from civil and criminal actions arising from the exchange of such data.

“You have nation-states that are stealing intellectual property at a breathtaking rate,” Representative Mike Rogers, chairman of the House Intelligence Committee who introduced the measure, said in an interview this week.

With data-sharing, “by just knowing what to look for, you already improve the safety and security of your network. It gives us a fighting chance in an incredibly aggressive cyber- threat environment,” said Rogers, a Michigan Republican.

Homeland Security

Rogers’ bill, the Cyber Intelligence Sharing and Protection Act, passed his committee in a 17-to-1 vote in December and has more than 100 co-sponsors from both parties, including the panel’s senior Democrat, Representative C.A. “Dutch” Ruppersberger of Maryland. The bill will go to the House floor for a vote next week, Rogers said.

Senate Majority Leader Harry Reid, a Nevada Democrat, has pledged to bring the Obama-backed legislation, from Senator Joseph Lieberman, a Connecticut independent, to the Senate floor.

“We believe information sharing, while important, does not stop the whole problem,” Howard Schmidt, the White House cybersecurity coordinator, said in an interview at the Bloomberg conference yesterday.

Schmidt said legislation should give the Homeland Security Department a role in working with industry, declining to say whether the administration would support a bill focused solely on information-sharing.

Michael Brown, director of product security at BlackBerry maker Research in Motion Ltd. (RIM), told the conference that users face difficult choices balancing usability of devices with security. Mobile to mobile threats are emerging, he said.

Sleeper “botnets” on mobile devices may create the next major cyber attack, said Gary Schluckbier, director of Motorola Solutions’s secure products group.

The Rogers bill is H.R. 3523. The Lieberman bill is S. 2105.

To contact the reporters on this story: Eric Engleman in Washington at eengleman1@bloomberg.net; Juliann Francis in Washington at jfrancis31@bloomberg.net

To contact the editor responsible for this story: Bernard Kohn at bkohn2@bloomberg.net