Millions of federal workers have been receiving emails from the federal government's Office of Personnel and Management – and it’s not the type of alert you want to see pop up in your inbox.
Instead, it is OPM notifying millions of government employees that they have been among the victims of what appears to be one of the biggest cyber attacks in the country's history, the details of which started to surface earlier this month. Initial reports suggested the hackers may have stolen personal information from as many as 4 million U.S. government employees; however, Bloomberg later reported that the tally may run as high as 14 million federal workers. Congressional staffers were among the victims, too.
The attack, which many U.S. officials believe originated in China, has thrust cybersecurity back into the spotlight in Washington.
Of course, the federal government is hardly the first American organization to fall victim to a costly and sophisticated data breach. In just the past few years, Target, Sony, Home Depot and several other U.S. corporations have suffered large-scale attacks, resulting in the theft of customer data, internal communications and other sensitive information.
It’s evidence, experts say, that no single company -- no matter how large -- can defend itself on its own against today's increasingly sophisticated cyber criminals. It will require a team effort, with U.S. business leaders across industries sharing their experiences, their observations and their best practices with government officials and with other companies.
But that won't happen, experts say, without sensible protections for companies that share information. If U.S. business leaders must worry that a disclosure that's meant to protect the country and its job-creators from cyber criminals may instead land their own companies in court, those conversations -- the ones we need to be having in order keep our nation one step ahead of cybercrime -- won't happen.
That's why the U.S. and its business community need legislative solutions like the ones that passed the House earlier this year: the Protecting Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement Act (NCPAA) of 2015. The measures would shield American firms that share cybersecurity-related information from, for instance, regulatory actions, lawsuits and FOIA requests stemming from their disclosures. Senate leaders are currently charting a path forward for similar legislation, which passed with overwhelming bipartisan support out of the Senate Intelligence Committee in March.
The cybersecurity measures would "improve information sharing between businesses and government entities, giving both the tools they need to better prepare for and protect against cyber threats," Bruce Josten, the Chamber's executive vice president for government affairs, said after the bills were approved in the House back in April. In another letter sent to members of the Senate on Thursday, Josten added that the bill would "help companies achieve timely and actionable situational awareness to improve the business community's and the nation's detection, mitigation, and response capabilities."
Other cybersecurity experts have agreed. Arun Vishwanath, an expert on cyber deception at the University at Buffalo, recently told USA Today: "If a company gets attacked and releases that information and everybody else is made aware of that, they can immediately protect themselves."
But the clock is ticking. Matthew J. Eggers, the Chamber's senior director for national security and emergency preparedness, wrote in a column earlier this month that he hopes this latest attack will prove to be the catalyst that prompts action on similar cybersecurity bills in the Senate.
"The digital tools, tactics, and procedures that the alleged Chinese hackers used to gain access to... federal employees' personal information need to be made both actionable and put into the hands of security professionals so that they can swiftly implement measures to guard the sensitive data and devices they manage," Eggers wrote. These types of digital attacks, he added, "can be restricted -- if not prevented -- through improved information sharing."
Josten, Eggers and the Chamber aren't alone. In April, 40 U.S. business groups representing nearly every industry sent a letter to the Senate urging it to follow in the House's footsteps by passing cybersecurity information-sharing legislation.
"Congressional action cannot come soon enough," the groups wrote.