Consolidate Most Cybersecurity Efforts at Commerce, Ex-Senator Testifies
All federal cybersecurity efforts that don’t directly relate to defense should be consolidated within the Department of Commerce, former Sen. Slade Gorton, R-Wash., told the House Commerce Committee’s Oversight subcommittee Tuesday. The subcommittee hearing focused on determining ways to best solve cybersecurity threats to U.S. intellectual property.
Gorton, a member of the Commission on the Theft of American Intellectual Property (IP Commission), was one of the authors of an IP Commission report released in May that recommended the U.S. government restructure its response to IP theft. The government’s cybersecurity response has been too decentralized to get a firm grip on the problem, Gorton said Tuesday. The U.S. has “got to put a stop” to IP thefts originating in China, said House Commerce Committee Vice Chairwoman Marsha Blackburn, R-Tenn. The IP Commission said China is responsible for 50 percent to 80 percent of all cyber IP thefts. Gorton’s recommendation “has merit,” said Rep. Bill Johnson, R-Ohio: “Someone at the cabinet level should be responsible for this effort.”
Gorton said there isn’t a “focal point” spokesman for the administration on cybersecurity, referencing concerns Oversight Subcommittee Chairman Tim Murphy, R-Pa., raised at the beginning of the hearing over the White House’s decision not to send a representative to testify. “If you make that focal point the Secretary of Commerce … I think that would be a major step forward,” Gorton said. The White House’s decision not to send a representative was “unfortunate … given the importance of this issue and the priority the administration has given it during its recent talks with the Chinese president,” Murphy said. Rep. Jan Schakowsky, D-Ill., said the White House had recommended other administration officials who could testify on issues covered at the hearing because the representatives the subcommittee invited were unable to attend.
James Lewis, Center for Strategic and International Studies director-Technology and Public Policy Program, told the committee he was “ a little surprised” by Gorton’s recommendation to consolidate cybersecurity efforts at Commerce, saying there needs to be more thought given to the Department of Defense’s role in combating cyber threats. “It’s a bit of a sensitive topic at this time” given recent leaks about National Security Agency surveillance of phone metadata and Internet data, but NSA does “have capabilities that we're not taking full advantage of,” Lewis said. Tuesday’s hearing occurred in the midst of bilateral U.S.-China meetings over cybersecurity and other issues. The NSA leaks are unlikely to give China “much negotiating benefit … because the U.S. has always told China that military espionage is a two-way street and that it is China’s commercial espionage that creates problems,” Lewis said.
China “will steal and reverse-engineer anything they can get their hands on,” making it vital that President Obama uses his authority under the International Emergency Economic Power Enhancement Act (IEEPEA) to declare cyber IP theft an “extraordinary threat to the national security … or economy” of the U.S., said Larry Wortzel, a member of the U.S.-China Economic and Security Review Commission. Invoking the IEEPEA would give Obama greater powers to freeze assets and block imports and exports, Wortzel said. China’s military will target critical U.S. infrastructure if it gets into a military conflict with the U.S., making it vital that companies apply a standard set of security, Wortzel said. Lewis said he believes Iran poses the biggest cyber threat to critical U.S. infrastructure.
Subcommittee members from both parties said they are concerned about the effect cyber IP theft has on U.S. businesses. “If our IP is being targeted, U.S. jobs are being targeted -- and this must stop,” said House Commerce Committee Chairman Fred Upton, R-Mich. Congress isn’t helping the administration protect businesses from cyber theft, said Rep. Henry Waxman, D-Calif., saying the Cyber Intelligence Sharing and Protection Act (CISPA) is “flawed” because it doesn’t include mandatory standards on cybersecurity. The IP Commission has said cyber IP theft costs U.S. businesses $300 billion per year, along with the loss of more than 2 million jobs. The Government Accountability Office (GAO) Chief Economist Susan Offutt said Tuesday that her agency believes the IP Commission’s estimate is “not credible."
The U.S. must find ways to get companies to “harden their networks,” Lewis said. The National Institute of Standards and Technology is facilitating development of a voluntary industry-led Cybersecurity Framework of standards and best practices, which Lewis said he hopes will “encapsulate” practices that will make it harder to infiltrate U.S. networks. Although CISPA has gotten “mixed reviews,” the government needs to identify a way to increase threat information sharing with companies, he said.