Boosting Cybersecurity

The largest chemical maker in the United States is urging Congress to give companies immunity from civil and criminal liability on data exchanges that prevent the federal government and the private sector from sharing information about legitimate cyber threats. “Large companies such as Dow are seeing an increase in the risks we face” from cyber criminals, Dow Chemical’s chief information officer, David E. Kepler, told a joint meeting of two Senate committees on 7 March. Chemical companies regularly have to defend against information security threats, including corporate espionage and the theft of intellectual property, he said. Over the past five years, Congress has struggled to reach consensus on how to boost the nation’s cybersecurity. To help fill the void, President Barack Obama issued an executive order last month that aims to improve communication between the government and private companies and establish voluntary security standards. But Administration officials acknowledge that there are limits to what they can accomplish without action by Congress. The executive order “does not grant new regulatory authority or establish additional incentives for participation in a voluntary program,” Homeland Security Secretary Janet Napolitano said at the ­hearing. Napolitano called for legislation that would expand cyber-threat information-sharing capabilities and give U.S. law enforcement agencies new tools to fight crime in the digital age. Although many companies have developed information security defence strategies as the threat has grown in recent years, Kepler agreed that legislation is necessary to strengthen collaboration between the public and private sectors. “I think there is a cultural issue with information sharing,” he remarked. “Government doesn’t want to share it, and business doesn’t want to share it. We have to create an environment where we can share key information about these critical threats.” Cyber information-sharing legislation must include liability protection for businesses that share “early threat or attack information” with the government, Kepler said. Data voluntarily provided by the private sector should also be “adequately protected” from public disclosure through Freedom of Information Act requests, he told the senators. Kepler pointed out that companies are also reluctant to share information with each other, fearing they will violate antitrust laws.