You may also be interested in:

Articles

Prepare to Share: Cyber Legislation to Impact Treasurers

  • By Andrew Deichler
  • Published: 10/2/2015
cyberlockWASHINGTON, D.C. – Rep. Devin Nunes (R-Calif.), Chairman of the House Permanent Select Committee on Intelligence, and Rep. Adam Schiff (D-Calif.), Ranking Member of the House Permanent Select Committee on Intelligence, both appear confident that a bill promoting information sharing between the public and private sectors will be passed in the coming months. Their comments came during the Washington Post Cybersecurity Summit on Thursday.

Of course, cybersharing has both advantages and disadvantages for corporate treasury and finance professionals.

Cybersharing

Though Nunes believes that creating laws around cybersecurity is near impossible due to the rapid changes in technology, he sees merit in setting up information sharing across the public and private sectors. “We’ve passed legislation in the House overwhelmingly; it has not passed in the Senate but we’re hopeful that it will pass, because then we can get something done,” he said. “We believe that sharing is an area where you can’t do any harm. It doesn’t hurt anybody to talk, but right now they can’t even talk.”

In addition to getting dialogue going between corporate and government entities, the cybersharing bill would also protect businesses against potential lawsuits, Nunes noted. “It gives companies liability protection so that they’re not afraid to share information,” he said. This would be a major incentive for treasurers to share information—among financial professionals’ chief concerns is whether their organizations would be held liable for cyber incidents.

Schiff also sees the cybersharing bill as a step in the right direction. “It’s certainly not going to cure all of the problems that we have,” he said. “But fundamentally, it will allow companies, when they’re attacked, to share information with the government and each other. It will tell fellow companies, ‘This is the malicious code that you need to look out for; this is what attacked us. You need these defenses.’”

Treasury and finance professionals have expressed some reluctance to cybersharing, largely because they feel that it’s not a two-way street. While businesses are constantly being asked to supply information to the government, they don’t see the government sharing much with them. Washington Post reporter Robert O’Harrow asked the representatives whether the government plans to do a better job of sharing with the private sector, and whether there is a plan in place to actually punish people within the government who misuse the information that businesses supply.

“That’s the goal of our legislation assuming we get this signed into law,” said Nunes. “We believe we’ve struck the right balance.”

Noting that the cybersharing bill is “on a very short list of things” that Congress thinks it can get done this year, Schiff said that the bill is a broad expansion of legislation previously introduced in the defense industry that has been well-received. “The defense sector feels the government really has shared information with them, saying ‘Hey, this attack is coming, this is what you need to look out for’,” he said. “I think in the defense sector, they really appreciate that ability to share information with the government and get information back.”

As for the possibility of sensitive data falling into the hands of bad actors within the government, Schiff said that companies are required to strip out any personal data before they share details about a cyber incident. “If the government gets it and there’s some personal information still entwined in the malicious code, the government has to do a second scrub to take that personal information out,” he said.
 
Cracking down on cyberespionage

Another positive development for businesses was Chinese President Xi Jinping’s pledge last week that the Chinese government would not engage in cyberespionage for commercial gain, Schiff added. “The Chinese have been the world leader in the theft of intellectual property through the cyber realm and there’s not even a close second,” he said. “But I think as a first step, getting the Chinese to acknowledge certain rules of the road—that economic espionage is prohibited—is a positive step.”

Nevertheless, Schiff is skeptical about whether China will keep this promise. He believes that the pledge is not likely to have an impact by itself, therefore, the U.S. government will have to introduce a series of sanctions on any Chinese companies that have benefitted from the theft of American intellectual property. “That’s going to be tough because they will reciprocate,” he said. “But we need the Chinese to think before they embark on this that there’s a real cost to them.”

Private sector response

O’Harrow asked the representatives whether private sector entities should retaliate when they are victimized. While Schiff believes that private companies certainly need to develop their own cyberdefense capabilities, he warned them against engaging in retaliatory attacks. “They won’t have the capability of assuring that their attacking the right target,” he said. “Obviously there could be a lot of subterfuge about where an attack is coming from; there could be the use of innocent parties’ computers as botnets to carry out an attack. The government has gotten very good at attribution, but I would be worried about the private sector.”

Nevertheless, the private sector has to get involved in some capacity to solve the greater problem, Nunes said. “The government is just not going to be able to do it,” he said. “The intelligence community can’t hire enough contractors to solve all of these problems, especially as the technologies evolve so rapidly.”

Copyright © 2018 Association for Financial Professionals, Inc.
All rights reserved.