A “tipping point” is coming regarding the need for legislation that will let the government and industry share information on cyber attacks, said House Intelligence Committee chairman Devin Nunes.
“With the daily growing cyber attacks… you would think there would be the political will to get something done,” Nunes (R-Calif.) said Sept. 10 during a panel at the Intelligence and National Security Summit hosted by AFCEA and the Intelligence and National Security Alliance (INSA).
As cyber attacks become more of a threat to the United States and corporations holding sensitive data, Nunes said he personally thinks the need for legislation already has hit its tipping point.
Over the last year, several high profile cyber attacks have compromised government, corporate and citizen data. Most recently, almost 22 million current and retired federal workers’ personal information was exposed in a hack on the Office of Personnel Management. Others suffering from large scale cyber breaches include attacks on the Defense Department, Sony, American Airlines, Target and The New York Times.
In 2014, industry reported it detected 42.8 million cyber attacks a day, according to a survey by PricewaterhouseCoopers.
For the past five years a member of the House Intelligence Committee has introduced a bill to permit voluntary sharing of data on cyber attacks between the private sector and the government.
“We are only trying to get to that first step of just allowing company to company to talk, company to government to talk, just to talk about the threats,” Nunes said.
The most recent iteration of the bill passed the House in April by a vote of 307-116. However, it has languished in the Senate since the House passage.
Opponents of the bill are concerned it may be used as a means for the government to collect more data on citizens if private companies give their data over.
That debate came to a head this summer when the Justice Department tried to obtain text messages from Apple for an official investigation. However, Apple did not comply, claiming the text messages were encrypted, an article by The New York Timessaid.
When data is encrypted only the user of the device can decode the message. Apple’s iMessage automatically encrypts messages when they are sent and decodes them when the user receives them. The Justice Department wants technology companies to use a less complex encryption, so files can be wiretapped, the article states.
House Intelligence Committee Ranking Minority Member Adam Schiff (D-Calif.) said government and industry have a long way to go before they can find middle ground on the issue, but he finds it unlikely that Congress will try to provide some sort of legislative mandate.
“At this point I think there is no consensus at all, not even the beginning of a consensus, about how to resolve the [problem],” he said. “Certainly on the one hand there is a need for us when we can obtain legal process and make the requisite showing to get access to devices.”
Schiff said that still does not solve the problem of non-American companies providing complex encryption capabilities that are impossible to intercept.
“You could have users migrate to that for nefarious work, but also you have the competitive challenge to American companies if they are viewed as a facilitator or arm of the [National Security Agency],” Schiff said. “That argument seems equally unassailable to me.”
FBI Director James Comey took a stronger stance during a later panel saying he is concerned that skepticism of government surveillance has bled over into cynicism.
“It is something that is getting in the way of reasoned discussion and it’s making it very, very hard for us to have a serious discussion about our authorities and how we use them,” he said. “There really is a problem with universal strong encryption and it’s colliding with something we also care very much about, which is security on the Internet.”