HOUSTON – The United States can only thwart China’s economic espionage if lawmakers require intelligence agencies to share their secrets about the world’s most dangerous malware tools – and how to stop them – with the private sector, a former National Security Agency director said Tuesday.
“If the Chinese are doing economic espionage to the point that it does strategic damage to this country, and we have the answer – the ability to block, mitigate or eliminate that threat – why aren’t we putting those two together?” said former vice admiral Mike McConnell, who ran the NSA during the first Clinton administration, during an oil and gas cybersecurity event in Houston. “We’ve never done it before.”
McConnell said security agencies like the NSA have collected data on troves of state-sponsored malware, but have never shared it with the industries threatened by the advance of malicious computer codes aimed at spying on U.S. companies and stealing secrets.
He said those industries, like banking, oil and gas and telecommunications sectors, need to urge Congress to pass two bills working their way through the House and Senate that would require authorities to divulge sensitive data, a bid to protect infrastructure that moves oil and gas around the nation and machines that extract oil and make gasoline, among a litany of other critical assets.
“We must have a legislative framework to force this action,” McConnell said. “There’s a potential for extremist groups to do harm to the nation, and Congress diddles.”
The House passed the proposed National Cybersecurity and Critical Infrastructure Protection Act earlier this year, and a Senate committee is working on another bill co-authored by Sen. Dianne Feinstein, D-Calif., called the Cybersecurity Information Sharing Act. Both require agencies to share information with private market players. But several similar bills have died in Congress, even as oil companies, banks and other firms have reported a growing threat from hackers.
More than half of the 200 or so cyber-attacks reported to the Department of Homeland Security’s industrial control systems emergency response team have targeted energy companies, according to a new industry group formed to analyze cyber-threats to oil and gas companies.
And economic espionage cases pursued by the Federal Bureau of Investigations have more than doubled in the last 18 months, as foreign nations are becoming more aggressive in their attempts to steal U.S. technologies, said Chandra McMahon, vice president of commercial markets for defense contractor Lockheed Martin, during the conference.
China, McConnell said, is behind about 80 percent of the world’s economic espionage, and most nations, apart from the United States, the United Kingdom and a handful of others, spy on others explicitly for economic gain. But while Fortune 100 companies have been increasingly tackling cyber-threats, smaller firms typically don’t have the resources to build defenses, said Mark Weatherford, a principal at The Chertoff Group.
Big oil and gas companies have critical infrastructure in the Middle East, as well, making them more vulnerable to state-sponsored attacks, said Julian Waits, president and CEO of ThreatTrack Security, who attended the cybersecurity conference.
But Waits said he’s skeptical that Congress will make serious breakthroughs in sharing critical data with private companies because most legislators don’t “understand enough about the problem.” Such changes will require leadership from the NSA and other agencies, he said.
“Until there has been a breach large enough where it costs more jobs or costs more money, I just don’t think our legislators, and more specifically the American public, will react to it,” Waits said. “I don’t think everything should be classified. Some things should be shared in the wild so vendors like myself can build protections for U.S. companies.”
It’s far easier to write insurance policies to protect against cyber-attacks when companies share defense strategies with their peers and across industries, and getting access to federal data could mark a watershed moment in cross-pollination efforts, McConnell said.
U.S. companies have struggled to find insurance policies that cover cyber-attacks, and only a fifth are covered for damages, leaving most exposed to huge financial losses if they’re attacked. But the oil industry is expected to pay $1.9 billion on cybersecurity defense systems by 2018, according to ABI Research.
“If you get a phone call about a problem, it’s too late,” McConnell said. “We’re going to have to tackle this problem at network speed. From Tokyo to New York, that’s 30 milliseconds.”