The White House clearly hasn’t forgotten about the cyberattack that struck the federal Office of Personnel Management. Late last week, facing mounting pressure to respond to the theft of millions of federal workers’ personal information, the Obama administration announced plans to retaliate against China, the alleged culprit behind the attack.
Has Congress forgotten about the breach, though?
It’s a question that should be asked after the Senate this week elected not to take up the Cybersecurity Information Sharing Act (CISA), which would protect companies that share information about data breaches and other cybersecurity-related experiences with both government officials and other companies. Such legislation is necessary, experts say, to help the public and private sector strengthen their defenses against future attacks.
Like its counterparts in the House, CISA would "help companies achieve timely and actionable situational awareness to improve the business community's and the nation's detection, mitigation, and response capabilities,” Bruce Josten, the U.S. Chamber of Commerce’s executive vice president for government affairs, wrote recently.
Added Matthew Eggers, the Chamber's senior director for national security and emergency preparedness: “Businesses need legal certainty that they have safe harbor against frivolous lawsuits and regulatory, public disclosure, and antitrust matters when voluntarily sharing and receiving threat indicators and defensive measures in real time.”
Why is that so important? Look no further than the OPM attack.
“The digital tools, tactics, and procedures that the alleged Chinese hackers used to gain access to approximately 4 million federal employees' personal information need to be made both actionable and put into the hands of security professionals, so they can swiftly implement measures to guard the sensitive data and devices they manage,” Eggers says.
In other words, if we don’t understand what happened, we can’t learn from our mistakes. And if we don’t learn from mistakes, we can expect to see more attacks in the future.
“Sophisticated criminal gangs as well as malicious actors in China, Iran, North Korea, and Russia (or their proxies) should not be allowed to put people's sensitive information at risk of abuse,” Eggers wrote following news of the attack earlier this summer. “Their actions can be restricted -- if not prevented -- through improved information sharing.”
The White House, which has backed CISA, hasn’t forgotten the OPM attack. Nor, we’re willing to bet, have the tens of millions of workers whose information was stolen.
It’s important that their representatives in Congress don’t forget either.
Tell Congress to protect America's Cyber Networks