Two questions should arise from the reported breach by Chinese hackers of the Office of Personnel Management’s (OPM’s) computer system.
First, how can policymakers genuinely help OPM? To be sure, pointing fingers at hacked entities like the OPM — “You should have done more” — may be self-righteously fun, but it’s the rough equivalent of a sugar or caffeine rush. It’s good while it lasts but offers few sustained benefits. The private sector has received its fair share of finger pointing in the wake of cyber incidents, so while a touch of schadenfreude is tempting, it’s ultimately empty and unserious.
Last year, Congress passed federal information security modernization legislation, which the U.S. Chamber supported, to help bolster the ability of OPM and other government entities improve their security. Among other things, agencies are supposed to transition away from mountains of compliance paperwork and toward an automated process of network monitoring. Adding more red tape to the cyber incident won’t help OPM. Asking OPM authorities what they need to assist federal employees, implement the new law, and apply additional security controls will serve them best.
Second, will this hacking episode prompt Congress to pass information-sharing legislation once and for all? It should. And while it is only June, the congressional clock is quickly ticking away. At issue is that businesses and government need to break down the legal hurdles inhibiting the rapid sharing of cyber threat data among multiple entities. Information sharing is happening today, but we can do more — confidently, quickly, and on a broader scale.
The digital tools, tactics, and procedures that the alleged Chinese hackers used to gain access to approximately 4 million federal employees’ personal information need to be made both actionable and put into the hands of security professionals so that they can swiftly implement measures to guard the sensitive data and devices they manage.
Sophisticated criminal gangs as well as malicious actors in China, Iran, North Korea, and Russia (or their proxies) should not be allowed to put people's sensitive information at risk of abuse. Their actions can be restricted — if not prevented — through improved information sharing.
The cyber fingerprints of the attack against the OPM need to be shared with appropriate public- and private-sector organizations in a timely manner.
The Protecting America’s Cyber Networks Coalition, which the Chamber helps lead, is pushing the Senate to pass S. 754, the Cybersecurity Information Sharing Act (CISA) of 2015. Enacting CISA is a top policy priority of the coalition, a partnership of more than 40 leading business associations representing nearly every sector of the U.S. economy.
Businesses need legal certainty that they have safe harbor against frivolous lawsuits and regulatory, public disclosure, and antitrust matters when voluntarily sharing and receiving threat indicators and defensive measures in real time — and taking actions to mitigate cyberattacks. Congressional action cannot come soon enough.