HVC-304 (Open, will close)
Tuesday, April 10, 2012
U.S. House of Representatives,
Permanent Select Committee on Intelligence,
The teleconference convened at 10:05 a.m., in Room HVC‑304, the Capitol.
Present: Representatives Rogers and Ruppersberger.
Staff Present: Jamil Jaffer, Senior Counsel; Susan Phalen, Communications Director; and Heather Molino, Minority Professional Staff Member.
SUSAN: Okay. Can everyone hear me? This is Susan of the House Intelligence Committee. Can everyone hear me?
MR. RUPPERSBERGER: Yes, Susan, speak up.
MS. PHALEN: Chairman Rogers is here, Ranking Member Ruppersberger. We are ready to kick off. A couple of quick notes, we ask that you put your phone on mute so that we don't hear the background noise and we want everyone to know that the phone call is being recorded so that we can provide a transcription later. And in the question and answer please provide your name and the organization you work with.
We will kick off with Jamil Jaffer, majority staffer and then we will go to minority, Heather Molino. Those two should be identified if you are going to contact them, HPSCI majority and HPSCI minority. And then the on the record quotes will be with Chairman Rogers and Ranking Member Ruppersberger.
MR. JAFFER: Great, thank you all for joining us. Every day the U.S. is targeted by Russia and China for both cyberexploitation and theft. This effort results in huge losses of valuable, private and government information, including personal information.
Now, today the U.S. Government protects itself by using classified and unclassified threat information that it identifies from attacks on its networks. However, the majority of the private sector doesn't get access to this information because the government has no mechanism today for effectively sharing particularly that classified threat information with the private sector.
This legislation would enable the sharing of that classified cyberthreat intelligence with the private sector to allow the private sector to better defend itself and to provide clear authority for the private sector to look for threats in their networks and to share information within the private sector, as well as on a voluntary basis with the government.
Nothing in this bill mandates or requires any sharing of information either within the private sector or with the government. The bill also protects privacy and civil liberties in a number of ways. First everything here is completely voluntary. Nobody is required to provide anything to anyone else or required to do anything.
It also prohibits the government from requiring the private sector to provide information to the government either directly or by telling the private sector that it won't provide intelligence if it doesn't get anything back. It also encourages the private sector to privatize or anonymize any information that it voluntary provides the government.
It requires an independent inspector general audit of any of the information sharing that takes place with the government. It limits the government's use of that information if it is voluntarily shared, restricts the government's searching of that data and it also provides ‑‑ there are a number of new provisions that the bill's bipartisan co‑sponsors are considering, to include providing a stronger role for the Department of Homeland Security in cybersecurity information sharing, as well as restrictions, enforcing restrictions on the government by providing enforcement mechanism through Federal court lawsuits.
Those are a couple of new provisions that are being considered at this time. This bill is bipartisan. It has over 100 co‑sponsors in the House and came out of the House Intelligence Committee on a 17‑1 vote.
So that is a little bit of background on the bill. I now turn it over to Heather Molino, minority staff for the Intelligence Committee.
MS. MOLINO: Hello, everyone. My name is Heather Molino, I work for the ranking member on the Democrats in the minority, and I would like to echo what Jamil just said about the bill. The reasons that the Democrats supported the bill, the reason that we all do is, you know, we do have a problem with cybersecurity, what is being attacked every day. About $300 billion of intellectual property is being stolen every year, according to U.S. Cyber Command.
I am not going to repeat everything that Jamil said. He did a really good job on the bill.
The biggest thing on the civil side is the minority worked together with the majority to put forth a lot ‑‑ some changes that Jamil highlighted. A lot of them are in the amendments, the Rogers‑Ruppersberger amendment, which creates a lot of limits on the information once it has gotten back to the government, how it can be used and as well as the ICIG amendment, which was the Thompson amendment. And what that does is, you know, make sure that privacy and civil liberties are monitored and that recommendations are put forward in an annual review.
So that is sort of where we stand and the ranking member when he speaks can talk a whole lot more on the record about it, but we do think that this is something that has some privacy and civil liberties protections in it, which is, of course, what we were worried about and wanted to address.
MS. PHALEN: Great, thank you, Heather. This is Susan again from the HPSCI. Next up is Chairman Mike Rogers, and he will then turn it over to Ranking Member Ruppersberger.
THE CHAIRMAN: Well, thank you very much. Thanks, Heather and Jamil, for just going over the bill. We thought that was helpful. One of the things that I think is very important to understand is that this was a year in the making, a result of hundreds of meetings, to include the ACLU and groups like the CDT and others. And, by the way, those meetings are still going to continue to try to put something together that was collaborative that dealt with the very serious challenge of nation state actors, both planning for cyber disruption attacks against the United States and our allies, as well as a nation state focused effort to steal intellectual property for the sole purposes of harming the U.S. economy, and I call it economic predatory behavior, so that they would steal intellectual property from companies that are making the next generation of defense fighters, or fill in the blank, from a military specialty, information that has some commercial value, turn it around and put it back in use in the economy to target and artificially compete against U.S. companies and our allies as well, and it's not just the United States. Our European allies are suffering the same thing, our Asian allies, the same thing. There is no continent in the globe that has been exempt from what is aggressive behavior.
So we spent those hundreds of meetings trying to come to a place where we could all agree that our civil liberties are protected and we allow sharing of information with the people who get up every day in the private sector. And, by the way, this happens every single day. Today the private sector gets up in the morning, and they have folks dedicated to try and make sure that their networks are safe and the information that they have on their networks is safe.
We came up with a 13‑page bill. It was carefully crafted working with Dutch Ruppersberger, my counterpart, and the Democrats on the committee, and I just wanted to talk quickly about some of the civil liberties protections that we put in to make sure that we could get that huge bipartisan support. We have over 105 co‑sponsors now, very bipartisan. We have both the high‑tech community on the West Coast and the financial community on the East Coast agree that this is the right approach because it is so nonevasive and, more importantly, it is completely voluntary, completely voluntary, which is incredibly important.
So we have a couple of things. The bill only permits information directly pertaining to threats or vulnerabilities to be identified and shared only for the purpose of protecting systems and networks from such threats. That is an incredibly important point to what we are trying to do here today and very limiting. That is important. It's very limiting.
The bill authorizes the private sector to anonymize or minimize the cyberthreat information it voluntarily shares, which is important, so those companies can make that determination what they think they minimally need to share in order to resolve their problem. We think that that is also very limiting and encouraging to those folks like me and others and Dutch, and his crew, who are concerned about civil liberties protection.
There is very strong limitations on the government's use of this information. It must be protected from disclosure outside of the government. The government may not search cyberthreat information for noncybersecurity or national security information, incredibly important, which is, again, a very limiting aspect of this and I think there's been some misnomers about what they can and can't do. That is a very limiting provision of this bill to make sure that this is just about sharing bad information, malicious software and code and other things that will allow the private sector to better protect themselves.
It may not require any entity to share cyberthreat information with the government. In other words, they can't force you to give them information, cannot be done.
And we were very clear on that, and this was worked out with Dutch Ruppersberger and myself and his members and my members so that the government couldn't use this as a stick to try and get information it wanted out of the private sector. It is expressly prohibited in this bill from them being able to do that.
The government may not require the sharing of cyberthreat information exchanged for government threats basically. That is exactly what we just talked about. If the government violates any of the restrictions placed on this by the legislation, it can be held liable for damages, costs and attorney fees through Federal lawsuits, which is a provision that we are working through now to try to get there again to just make doubly extra sure that there is ‑‑ the government cannot violate by doing some of the things that people, I think, are worried that it could get them to do. And, by the way, we would have the same concerns.
We didn't want this to be anything other than an ability for the Federal Government to share cyberthreat information with the private sector so they could protect their networks. At the end of the day, that is exactly what the purpose of this bill is. It's the only purpose of this bill, and we think that those processes get us in very clear language to that purpose of this bill.
Again, that is why it's 13 pages. It's very, very narrow, and it is, you know, there will be lots of debates on lots of other bills here as they move forward but the reason this one has such bipartisan support and broad coalition support is, as I said, from people in the high‑tech community and of every other industry is because it is so nonlimiting and so very specific about being an information sharing bill when it comes to threat information, and if this is going to work correctly we have to remember, this is going to deal with hundreds of millions of packets of information per second. So this isn't a content‑driven event as some would have you believe, this is all about making sure that they know what that malicious threat code looks like and being able to share what that code looks like with the private sector so that they, in fact, can protect all of our networks as we use them and openly use the Internet.
And so with that I'm going to turn it over to my counterpart on the committee, who has done just an excellent job working through some very difficult issues on this bill Dutch.
MR. RUPPERSBERGER: Thank you, Mike, and I want to thank you for working together, Republicans and Democrats, on behalf of our country.
The first thing, I want to talk about how we got where we are. When I, in 2006, became chairman of the Technical and Tactical Subcommittee on the Intelligence Committee, and that committee is the committee that oversees all the SIGINT, what National Security Agency does, cybersecurity, space, those types of issues. Most people in this country don't really understand how serious the issue of cyberattacks are. You know, we are being attacked every day as we speak, Asian actors like China and Russia. I know China ‑‑ and I, back a couple of months ago, came out with a press release accusing China of stealing billions of dollars of information from not only our National Security Agency and government entities, but also the private sector, who don't know, you know, what they are doing.
Now when these hackers steal intellectual property they take new high‑paying jobs along with all the other damages that we do have. Estimates of loss from economic espionage are hard to make, but range anywhere from 2 billion to 400 billion a year. And, just as important, many of the same vulnerabilities used to steal intellectual property can be used to attack the critical infrastructure we depend on every day.
Now, China is the world's most active and persistent perpetrator of economic espionage. And as I said before, U.S. companies have reported an onslaught of Chinese cyber intrusions. This information may be used to give Chinese companies an unfair competitive advantage, not even to talk about the advantage they get as they attack our DOD systems and other areas. Now, the intelligence sharing must, is the only way that we are going to be able to help the private sector protect ourselves, our businesses, our personal computers, all of those different issues.
And I do want to again reiterate what we have done as far as the civil liberties issues. A lot of the members on my side on the Intelligence Committee spoke very strongly about the civil liberties issues, as I do, and I want to thank the chairman for working with us, because we had very, very aggressive debates on this issue before we agreed to come up with a bill that passed our committee 17‑1.
Drafting, during the drafting of this legislation, as well as during the markup, we fought for a lot of provisions that are in the bill and will ‑‑ by the way, I want to make this clear because the chairman and I talk just almost every day on this issue, and we still have not finished what we are doing as far as trying to add to the bill to make sure that it is a good bill.
It is going to protect our country and protect our civil liberties. We communicate with the White House on a regular basis. They have some issues that they would like us to work on. And to add to the bill, Chairman Rogers and I 2 weeks ago met with Senators Feinstein and Chambliss, because we passed the bill, and if we can't get a bill passed in the Senate what good does that do. So we're working, as we have on our past budget issues, with Senators Feinstein and Chambliss. So it's important that the administration, the Senate and the House all come together.
Now, again I'm going to reiterate some of the things the chairman said, but I think it's important because it is where we are coming from the Democratic side, First Amendment, that we had limits how the Federal Government can use the information private companies share with ‑‑ after a cyberattack, the Federal Government cannot use the information for regulatory purposes.
The Federal Government cannot require private companies to share information with it as a condition of initially receiving the cyberthreat intelligence. That is called the anti‑tasking provision. The Federal Government may only use the information for the purpose of cybersecurity or the protection of national security, and that is the Thompson amendment. And that is very important that that amendment is there because we need to have the check and balance.
And what happens basically is that the Inspector General of the Intelligence Community has to ensure that none of the information that is provided to the government is mishandled or misused. The Inspector General will have oversight and the Inspector General will include recommendations to include protection and privacy in civil liberties every year. So this will be evaluated, and that really is a large check and balance.
In addition, current Federal regulations also protect privacy when personal identifiable information like names, e‑mail addresses, et cetera, about American citizens is given to the Intelligence Community.
The Attorney General approved procedures already requiring Intelligence Community agencies to destroy the personally identifiable information and, except in very limited circumstances, for example, when this information is necessary to understand, to assess the information for national security purposes.
And, again, I want to reiterate this bill only deals with the issue of national security or cyberattacks and all those other issues, like regulatory issues, if you cheat on your taxes or whatever, that is not going to be a part of this bill. Malicious code or other technical information critical to contain the cyberthreats may be kept by the Intelligence Community.
Now this bill does not provide any authority for the government to monitor private networks or read private e‑mail, and that is important because those allegations have been made by certain media outlets and we have to get to the facts. In addition, it does not allow the government to load any monitoring or software program on your computer at home. That is extremely important from the perception of the government. The bill allows companies to strip all personal identifiable information from the information it shares with other private companies or for the government and the bill does all this without requiring additional Federal spending.
It's so important that we understand how serious the cyberattacks are. Those of us on the Intelligence Community receive a lot of classified information, serious threats, al‑Qa'ida threats, China intrusions, Russian intrusions, other countries.
And yet people ask us what keeps you up at night. The two things that bother me the most from national security are weapons of mass destruction and a catastrophic cyberattack, that being taking out a grid system in a major urban area, air traffic control system, a bank system. We know that the NASDAQ has been attacked.
We just 2 weeks ago had an issue involving our credit cards, our MasterCard was being attacked. We have to deal with this issue. We need to protect our country.
You know, if we knew that a country like Iran was sending overt airplanes to bomb the United States we would do something about it. Well, we need legislation now to protect our country, and yet we also will clearly, all the time will protect our constitutional rights and our civil liberties.
Thank you for my comments, and I guess I will turn it back over to you, Mr. Chairman.
THE CHAIRMAN: Thanks, Dutch.
MR. RUPPERSBERGER: Okay.
THE CHAIRMAN: One of the things I just want to clear up, we are going to get to questions, but when I talk about intellectual property, I am not talking about MP3 files or movies or music, I'm talking about billions of dollars that American companies spend on research and development every year, and I mentioned a little bit in the beginning. Jet engines for the next generation of fighter planes is important, but this is also pesticide formulas that allow American companies to compete globally. It means pharmaceutical formulas, all of these things we know have been targets of economic espionage. It's about how to make car parts in certain ways. All of these things are real cases that have happened and other folks like China are using that as economic predators to target the economy of the United States over a period of years.
So you have three fronts to this problem. You have the criminal front where people are just trying to steal identities, get into your account and steal your money. You have the cyberattack that Dutch referenced where we believe that there will be a catastrophic cyberattack if we don't at least start to put some protections in, because we are not talking about small groups. We are talking about nation states who are engaged in activity to shut down, well, sections of an economy, and we saw that happen when the Russians invaded Georgia. So this isn't pie in the sky stuff. We have real examples of it.
And, lastly, this cyber espionage piece that is absolutely devastating to the future economy of the United States of America, we know they are engaged in it. It's a problem which is why you have seen a carefully crafted, narrowly focused volunteer‑based bill that has such a broad spectrum of support.
And with that, we will go ahead and open it up to questions. If you wouldn't mind, please identify yourself before you ask the question.
Q I will go first, Jason Miller, Federal News Radio.
MR. RUPPERSBERGER: Can hardly hear you. Talk louder.
Q Sorry, Jason Miller, Federal News Radio. One question that comes up when you talk about the civil liberties and privacies, and it says the government can't use information except for cyberthreats and national security, I think one concern that pops up is when it comes to something like the PATRIOT Act having fell under national security. How does the bill address that issue of how do you clearly define what is a national security threat ‑‑
THE CHAIRMAN: Well, this is very narrow in the sense that it has cybersecurity threats, so it has to pertain to networks.
It is self‑explaining in its own right, you know, the bill that you referenced dealt with a whole different set of issues. This is very narrow and it is a cybersecurity focus, so that this is information that would be malicious source code, which would have to be the first part of that definition that would deal with getting into private networks for the purposes of cyber disruption or theft of property or, you know, fill in the blank, or criminal activity, I suppose, but criminal activity would be pretty hard to get to even under this bill.
MR. RUPPERSBERGER: And, Mike, just to reiterate that, too, one of the most important aspects of this bill is that it is voluntary.
Once the government or the Intelligence Community gives the source code or the malware information to the private sector, there's no quid pro quo. It clearly goes to the private sector who then uses their resources to protect their customers and themselves, and it's only voluntary if they want to come back to the government and in this bill and what we are ‑‑ in there, that would be Homeland Security, so you don't have the DOD or the Intelligence Community be involved in that process.
It's really a basic 13‑page bill that will take the 1947 law that says no classified information can be given to another entity that is not classified. This now allows that, to change that 1947 law and to pass this information on a voluntary basis, no quid pro quo. That also means there will be no surveillance by the Federal Government.
THE CHAIRMAN: And, Jason, I just want to read one line out of the bill because I think it addresses your question. It is limited to information that, quote, directly pertains to a threat to or vulnerability of a system or network, which is very, very limiting language.
Q Hi, this is Chris Croom with Bloomberg. Can you hear me okay?
THE CHAIRMAN: I can. We have a little bit of a feedback.
Q Yeah, I do too but it's gone now.
I am wondering, when you are bringing the bill to the floor, have you already agreed to make any changes to the bill, or what are the changes that you are now considering making to the bill, and how do you go forward in terms of the multiple pieces of legislation that have been proposed in terms of trying to merge them together?
THE CHAIRMAN: Yes. Let me just give you a couple of the new provisions that we are working through the final language, but it would require the Department of Homeland Security to generally receive copies of voluntarily shared cyberthreat information, so there was some concern that, you know, that this was going to be run by an agency other than a Homeland Security‑type agency and that just was not true. So we worked with a whole bunch of folks to come up with some language that clarifies that the Homeland Security is absolutely involved in the process, that the Homeland Security would also generally have the role of sharing voluntarily shared information with the government and would be required to be consulted by the Director of National Intelligence on sharing and security clearance procedures and guidelines. So we wanted to make sure that the Homeland Security had a part of that conversation and, again, the reason, the Director of National Intelligence is involved is because they control most of the ability to do and conduct security clearance backgrounds.
So we wanted just to make sure that the Homeland Security is in consultation as they develop that, because certain companies are going to go through the process. We want to make sure it's a fair, open, but at the end of the day a secure process so that we can share information in a classified way to protect sources and methods of its collection.
And the bill would make clear that it grants no new authority to the Department of Defense or the Intelligence Community to require or direct any private or public cybersecurity efforts. So we again went right back to folks' concerns and said well, all right, make it ‑‑ that was our intent of the bill, so we will make it more clear in the bill that the Department of Defense or the Intelligence Community cannot require or direct any private or public cybersecurity effort. So make sure that that notion that they can get out and collect is somehow a surveillance program is absolutely inaccurate. We think that goes a long way to dispel that and making it very clear that is not what this bill is about.
And one of the last ones we are working on, if the government violates any use of this, the bill provides for government liability for actual damages, costs and attorneys fees. I mentioned that earlier, but that is one of the new provisions that we are putting in once again just to make sure that people will understand how serious we are that this is a sharing of threat information bill only, and it will be nothing more than that so we think we are going to strengthen it up by that bit of language.
The second part of it is, you know, we are still in the works about what, you know, how many bills and how it's going to be worked to be sent to the Senate, so that is still up for negotiation. I think the Rogers‑Ruppersberger bill will carry, I think, a fair number, it will carry the actual sharing piece and the liability piece and the Homeland Security piece and then there may be some, another bill that is dealing with the research and development grants and other things, oh, and penalties bill, exactly. There may be a penalties bill to increase the penalties for countries like China who are stealing intellectual property and then putting it in use in China ‑‑ to target U.S. jobs so that piece ‑‑ those are likely to be the pieces, but I can't say for certain that that would be the only set of pieces that would be there going into the following week.
MR. RUPPERSBERGER: This is Dutch. First thing, this thing, as the chairman and I stated in the beginning, we are still working on issues, and we are still listening about what are relevant issues because we know that we need to pass legislation that will allow us to protect our national security from these cyberattacks, and yet we know how important civil liberty is.
We also purposefully did a very small bill, only 13 pages. That is probably a record in the House as far as how major the bill is, and we know that there's a lot of cyber legislation out there in the House and in the Senate. And what we're trying to do is to allow our country to protect itself from these attacks, because I'm concerned that a lot of the cyber bills and issues out there are going to take a long time to pass.
So that is why the chairman and I have felt a very strong we need to keep the door open. And we are continuing to negotiate with the Senate and with the civil liberties groups. I know that just in this coming week when we come back we will be meeting, you know, with the different groups we have for the last year. We have spent a lot of hours bringing in different groups, including the ACLU and other, other civil liberties groups just to get their point of view and make sure that they are heard.
I think, as an example, the open mind, and I thank the chairman because we have had a lot of negotiations especially on the Democratic side, we have made the civil liberties a very high priority, and the chairman has listened. And just the fact that he has agreed that if we violate any of the limitations that were mentioned the bill that provides for government liability, for actual damages, cost and attorneys' fees in a Federal lawsuit that was not part of the bill. This was just recently added, so this is important that we listen, we deal with the issue because it's important that we come to a consensus to pass a bill to protect us from these cyberattacks.
Q Hi, this is Lee Burton from Tech Dirt.
MR. RUPPERSBERGER: From where?
Q From Tech Dirt. I just want to go back to the question about the national security provision, because it seems like, although the information is shared for cybersecurity purposes, the government is permitted to use it and affirmatively search it for national security purposes not ‑‑ it doesn't have to be related to cyberthreats. So, I mean, that kind of goes back to the first question about, you know, what are the limitations on there because national security can be a very broad definition?
THE CHAIRMAN: Well, first of all, we are looking for nation state actions, so let me give you an example. If you recall right after 9/11, there were these barriers between the FBI talking to the CIA, that just almost unanimously people thought was a bad idea. And so what it would allow them to check for is, I don't know, I will give you an example, if, yes, there is a cyberattack, malicious code ware coming in and, oh, by the way, it's going to be followed up by some kind of physical action in the United States, you don't want the government to say, well, we are not going to, we can't tell you about, we can't tell you that something is going to blow up in the United States. That, I think, would be a horrible mistake.
And so, in some of these cases you have to understand that in military planning today, with nation state actors, cyberattack and disruption ‑‑ and by the way, now cyberattack, the way some nation states can pull it off actually mean things get physically ruined. So it's not just you, your website goes down for a day, there is actual physical damage to certain, could be facilities, it could be operations that, I mean just physically stop working and that is a whole different ballgame.
And so what you want to be able to do is say, hey, that is a cyberthreat, but there is a national security, a broader national security threat. Up to that point they have the ability to do it, but again this isn't anything beyond that. This is nation state actors who we know have a part as their future military planning, that cyber disruption, is what we used to call prepping the battlefield. And so that is pretty serious stuff, and I just think we don't want to get in the business of not using it to the full extent to protect and defend the United States of America.
MR. RUPPERSBERGER: Yes, and let me just kind of answer your question, which I think directly, and I think agree with what the chairman said, first thing there's no affirmative search on the part of the government. The government cannot require companies to do that at all or give government emails and that type of information, and it is voluntary. And that was specifically put in, the voluntary, because this is not surveillance.
Companies can give back information about an attack as it pertains to a threat or vulnerability of a system or a network, but only as it relates to national security and also as it relates to any cyberattack. And that's the answer to your question.
Q This is Alan Fitzpatrick with ‑‑
Q From the Hill.
THE CHAIRMAN: Yes?
Q Andrew Klein from the Hill.
THE CHAIRMAN: Okay, I can hear Andrew the best, so we will go with you. I don't know if I heard the second guy?
Q Alan Fitzpatrick. I am wondering, on technology blogs, a lot of social networks, about how this is the next SOPA. Are you going to be doing anything to address Internet users specifically? Not ‑‑ Internet users specifically on why this might be a good bill?
THE CHAIRMAN: Oh, yes, we are trying to communicate. This is a step in that direction to talk to them. We have talked to just a whole host of groups to try to get them to help us communicate. I mean, Facebook and the Internet security alliance, folks like that who talk to us and bloggers on this particular call, because I think there is in these things first, the first thought is and, by the way, we had the same thought a year ago is, hey, we need to do this. This is serious business. You better make sure that you are doing this right.
So one of the things that we wanted to do is have this dialogue today to allow people, A, to ask questions and, B, understand exactly what's in the bill and what's not in the bill. Here's the good news, it's really a short 13 pages for those who have lots of questions about it. I would hope that you would please take the time to actually read the bill. The language in there is really clear and we talked ‑‑ the new provisions won't be in there, but we have got some new provisions that make it even more clear about it.
So with your help, quite frankly, Alan, that we are hoping that you do talk about the bill, and what our efforts are, and what our goals are, and what we are trying to accomplish, and how we are working with people to try to get the language right so that we are doing this exactly right and we're reaching out through our websites, our Facebook, our Twitter accounts to try to get information as wide out there as we can.
MR. RUPPERSBERGER: I think it's really important that we deal with the issue because it's very easy to take back some manipulated ‑‑ put something out there that isn't. Clearly there's no censorship of websites or shutting any website down, didn't have any in this bill to do anything like that.
THE CHAIRMAN: If, by the way, you have questions and we hang up the call and we didn't get to you or you have a question or a technical question we can answer, call the committee. We will get you the right resource to talk to. You can either ‑‑ we will either hook you up with Dutch or myself or maybe somebody here that can answer your question and that number is 202‑225‑4121. That rings directly to the Intelligence Committee spaces. So if you have a question that you for some reason today don't get answered or feel like you have a follow‑up, please go ahead and do that.
Q I am from Wired. I have a two‑part question.
THE CHAIRMAN: Okay.
I think we had Jason first, Andrew from the Hill. I am sorry. Can we go to Andrew and then we will go to Wired.
THE CHAIRMAN: Andrew, you still there? Andrew, you lost your slot in line. We are going to Wired. You're up.
Q Okay, I'm up. So you are making a lot of emphasis on the fact that this is an information‑sharing only bill. There was a limited study done by Carnegie Mellon that actually looked at how useful different information sharing can be and it involved sharing, classified information from the NSA ‑‑ ISPs that processes traffic for defense contractors, and the result of the study showed that the information actually added no value to what the companies already were doing in their efforts for protecting their networks.
So I guess the first question is what exactly do you imagine is going to happen in this information sharing, what it would be, the action results from this information sharing if a test has already showed there's no valued added to that?
THE CHAIRMAN: Yes, well, two points to that. A, I completely dispute the findings to that. One of the things, there was something called a DIB project for the study. There were about 17 defense contractors who were already not in the business of selling protection services in many cases but also working with the NSA along the way.
And so in order to see if this was even feasible and workable they started what is called the DIB project. The Defense Industrial Based Pilot Project. And what they found was people were a little reluctant to share in the beginning. They were a little nervous about this whole arrangement, so that got better over time. And that, I think, was reflected in the study as well. We also found that people who are in the business of providing security services, not only interested in telling people they can't figure out what bad things are going to happen to you, number 2, which is why this is important. And, lastly, it wasn't necessarily those 17 companies, it was their supply base. So you went from companies who had very large, very robust, very capable cybersecurity shops or IT shops with a security bent to them to people who are providing them, working with them in the supply chain who had almost no IT shop, no cybersecurity experience, that were incredibly vulnerable.
And, by the way, when they are vulnerable and you are still working with that larger company, that made the larger company vulnerable. That is where they found this huge benefit was going to come from because you will now get to those supply chain folks. They will get the same benefit of that shared malicious source code. They may not even know it, but through their ISP provider, that malicious code will be caught before it ever gets into their networks.
And that's the beauty of this and that is where we think the biggest bang for the buck is. Remember, that was such a very small target group of people that already knew they were under assault ‑‑ hundreds of thousands of times, by the way ‑‑ and so that is where we think we made, we make the biggest bang for the buck judgment. That is why the private sector is clamoring for it, because they don't get the value of that information today in a way that even the DIB project people got before this started. And so they feel if they can get just access to what is bad hanging out there, that they can do a huge service to the average Internet user sitting at his or her laptop at their desk in the evening, you know, sending their pictures to their friend in California, whatever.
I mean, that is where the huge benefit comes from and those folks that use their personal devices and their laptops for commercial purposes, if you have wholesale disruption, you can imagine what chaos that might cause. This helps them and protects them. And this is not even something that they would notice because filters, if you will, would convey upstream from the information that they are using on their Internet.
MR. RUPPERSBERGER: Yes, Mike, and I agree with you, I think bottom line, this goes to the basis, our bill is based on ‑‑ part of our bill is based on the DIB pilot. This bill is a program that worked, that was tested. Mike talked to you about the problems in the beginning, and it all came together.
It works, and all we are attempting to do is to give our private sector, our citizens, our businesses the ability to protect themselves. We can't do that right now. We can't protect them. We can protect the government side, and we can protect the intelligence side and we are doing a great job in doing that, but we are also going to need to get it to them. If that malware, if it's coming in, the bad stuff, if it's coming in, then getting it to the other side and doing that in a very small bill, 13 pages, and also protecting our civil liberties.
Q The second part of my question was when the information is going, Internet information comes from government to private sector ‑‑ or classified information, classified, private sector ‑‑ are there any limits placed on that information being passed to other entities, for instance, anti‑virus companies or partners overseas or based on that ‑‑
THE CHAIRMAN: Are you talking about from the government perspective or from the private companies' perspectives?
MR. RUPPERSBERGER: Hello?
THE CHAIRMAN: Are you talking about the government's perspectives?
MR. RUPPERSBERGER: What she is talking about, yes, there are limits in the bill about passing it to another area, and they have to be clear. They have to be a part of the process, and they are going to have to be pursuant to the mandates that will be set out in order to be able to get this information from the Director of National Intelligence, and that is the purpose of the bill to make sure that we don't violate that information. A lot of the information, by the way, that is coming are all numbers and figures in the majority of cases.
Q But my question is when it goes to that first tier of people that have that relationship, is there anything that limits that first tier, that passing of that information to subtiers of people or organizations?
THE CHAIRMAN: Well, only as it relates to securing a system or a network, and, so, again, what I think this isn't, a lot of people believe that what we are talking about is content driven. This is really, I think Dutch alluded to zeroes and ones that extrapolate to data packets.
Q No, I get that we are talking about SIGINT architectures?
THE CHAIRMAN: Yes.
Q My question is can the SIGINT architectures that the National Security Agency has, for example, that are classified, are they going to be declassified and passed to IST?
THE CHAIRMAN: No, here they are not going to be declassified. Now I follow your question, so it's still classified information, and we have those relationships a lot with our national labs. So there's information exchanged between the private sector and the government when it comes to research and development‑type things. And that information cannot be shared, just like it can't be here. If you are a cleared entity and you get this information and it is classified, you are obligated to protect it.
You have to protect that information as classified information. Now, you can build it into your ‑‑ the security of your network, some people call, you note, I don't know, they call it the black box, right, so nobody can really see what's in there but you know there's an ability to stop malicious code from flowing through that so that it doesn't get to the networks. They can do that kind of thing. The way we envision this is probably the larger providers will use this as a part of a security service because they can protect it without you knowing that malicious code.
It still protects your network, so as I said you are on your iPhone using it as your credit card, you will have no idea that they will protect you from, you know, the Russian, nation state actors trying to get in and pilfer your systems and penetrate your codes. That will all be done upstream with these, this classified setting of shared information exists.
Q Okay, thank you.
Q Hi, this is Marine Gilman.
THE CHAIRMAN: Go ahead.
MR. RUPPERSBERGER: I didn't catch the name?
Q Marine Gilman.
THE CHAIRMAN: Thanks, Marine.
Q My concern, is the a definition of cyberintelligence and cyberthreat too vague, and there are two categorical types of cyberdata ‑‑ like six specific categories. Is there a worry that the current definition of cyberdata or cyberintelligence information is too vague or might be? I guess in the future, like, could this bill possibly borrow the language of the other bill?
THE CHAIRMAN: Well, the way this is different ‑‑ hello, uh oh, terminal went off.
THE CHAIRMAN: They went out of business about 90 days after this happened. They are gone. They don't exist anymore. You know, maybe ‑‑ so they were supposed to do these certificates. So there's a great example. But the motivation for companies is the sheer survival, and the sophistication and aggressiveness of these attacks is growing exponentially. I used to say, yearly, I think it's monthly, nation states are deciding that this is a relatively cheap investment to cause huge economic or disruption capability harm to their enemies.
And it is, in their mind, a great investment. They are spending lots of money. They are getting better by the day, and I think companies will know it. Again, they don't want to talk about it. They won't publicly talk about the sheer number of attacks. However, they know it's in their best interests for survival, economic survival to participate.
Q Well, do you think those same sensitivities are at play for utilities. Companies like Mid Michigan?
THE CHAIRMAN: Well, yes, there's going to be some infrastructure. The Energy and Commerce Committee is dealing with the infrastructure side of this, and so we believe that they are, they are going to have, it looks like it may be a voluntary standard, but I think that is still debated in the Energy and Commerce Committee. It's a little out of our jurisdiction here in the Intelligence Community, but the fact that there will be certain requirements for them going forward, that, and I believe it's in their best interest to make sure this doesn't happen either, you know, wholesale economic loss or any loss of power over any time is not good for their bottom line.
And so now I think the debate there is just about how they come to an agreement about what those standards look like and how they meet those standards but, again, that is not in this bill. It is not in the jurisdiction of this bill and that is in the Energy and Commerce. What's in the discussion form. I don't think it's even a bill yet.
MR. RUPPERSBERGER: Mike, did the Hill reporter come back on? I know he was online? I think we lost them.
MS. PHALEN: He did not come back on. This is Susan. He is not able to dial back in.
MR. RUPPERSBERGER: Okay?
Q Hi, it's Jennifer Martinisi from Politico.
THE CHAIRMAN: Yes.
Q So for one of the new amendments that is being considered, where if the government uses information, a lot of it can be brought up against them. I think it's essentially for a private right of action, I guess that as an ‑‑ how do I know that information is being used, I guess. Is that enough of a escape part?
THE CHAIRMAN: Yes. Well, go ahead. Let me just answer that, and then I will let you follow up, Jennifer, if that is okay.
Yes, in the sense that the IG goes, their sole responsibility is to make sure, and every year we get a report that well, the public, to ensure that the information is being treated accordingly. Now that clearly, they will find if there's information being misused.
Secondly, if there is some event that happens to an individual, you will clearly know that your information has been an issue. I can't foresee one, I am not sure I could even give you an example how that might even happen given the way they are instructed.
But on the chance that happens, then that might clearly be a cause of action. But the biggest safeguard is that this independent third party IG, the whole purpose is to make sure that this information is used and reports to us, which is also our responsibility as the oversight committee to make sure it's being used properly so that would give them an important leg of that cause of action.
MR. RUPPERSBERGER: Yes, most importantly that the checks and balances are in place. And here's an example with Mike, and Mike, I thank you for this, has allowed us to continue to work with all entities, whether it's on the civil liberties side to make sure that we make changes as we move forward because we feel very strongly that this 13‑page bill needs to be moved as quickly as possible once we have it where we need to it to be so that we can protect our country. We are being attacked as we speak right now, and yet we are not able to protect our citizens.
And the issue of civil liberties is major, and we are attempting to deal with it and we still have an open mind of where we are going to go with the bill, if there are other suggestions that can make the bill better and make people feel secure in this country.
THE CHAIRMAN: Jennifer, thank you. You had a follow‑up I think?
Q Yes, right, and yesterday, Anonymous claimed responsibility for an attack on a couple ‑‑ Telecom and Tech America and, you know, there's some talk on Twitter and the Internet about comparing this bill to SOPA. I guess are you concerned about this rising conversation on the Internet about this comparison and that you are kind of stirring up the backlash that Mr. Ruppersberger referred to?
THE CHAIRMAN: Well, apples and oranges. They are so completely different that there is just absolutely no comparison, number one, and one of the reasons we are getting out talking to people is for that very reason so that they understand that this is apples and oranges. This bill was something completely different, you know, worried about MP3 files and movies, and this bill has nothing to do with that. And so we feel confident that once people, again, we wanted to keep it short, we wanted to keep it very concise, 13 pages so people could read the bill. You know, you draw up a 300‑page legalese document and put it in front of somebody, it takes three lawyers to get through it to understand what it means.
This bill doesn't have that problem, and that is why we are using very clear language, so people understand this is about nation state actors who are seeking to disrupt the very people that they are talking about, so systems, by the way, will get protected by this bill because we will have a better understanding of the malicious software that is flying around to stop things from happening, and stop eCommerce, and steal intellectual research and development property for the next generation of American deployment. So we feel very confident that people will realize that is an apples to oranges comparison. Nothing about that particular piece of legislation is relevant to this bill.
MR. RUPPERSBERGER: And just to reiterate there's no ‑‑ as it relates to the issue of SOPA, its apples and oranges. I agree with the chairman there's no censorship of websites or shutting down any website in this bill. The government doesn't have any authority to do that, and we are not involving ourselves in people's personal computers or anything of that nature. That is clear it's not in the bill, and if it's being put out there that it is, it's factually incorrect.
Q Do you have any response as to what happened yesterday in Tech America ‑‑
THE CHAIRMAN: I am just not. I know something happened, I don't know exactly what happened.
Are you there?
Q I'm here, uh‑huh.
THE CHAIRMAN: Well, I do know one thing, by the way, that there was, apparently, a disruption of service attack but both entities still believe that it was important enough to come out and say they supported this version of the bill. Again, apples and oranges, very different, and we are, again very concerned about nation state actors here and that is really the focus of this bill.
MR. RUPPERSBERGER: Well, in answer to that question, and let me reiterate this, the CEO of Telecom made the following quote. Hold on. I don't have that have quote there. Let me give it, I believe, based on what happened there that every individual ‑‑ the right to free speech and political protection and that launching a cyberattack to intimidate and squelch their speech goes against the American freedoms we hold dear. The Cyber Protection Intelligence Act will help protect organizations against these kinds of denial as much as attacks.
And, you know, there's a quote made by the CEO of Telecom addressing, you know, the issue. And, you know, if you want I can read that or if you want me to, or do you already have that? It says basically that Walter McCormick said that as an industry and in the business of facilitating communications, we respect the right of those called Anonymous to express their views and engage in lawful political ‑‑ that by launching a cyber attack in an effort to coerce and ‑‑ ironically by their actions Anonymous activists underscore the importance of speedy action on the bipartisan Rogers‑Ruppersberger legislation to ensure that the Internet remains an open and safe forum for all.
And that is the CEO of U.S. Telecom. That is his statement as a result of their attack, their being attacked, cyberattacked.
Q Hi. This is Andrew from Digital Trend.
THE CHAIRMAN: Hi, Andrew.
Q Hi, just a kind of a follow‑up to Jennifer's first question. In terms of the nukes provision under consideration, that would allow the Federal Government to be liable for damages and costs if the information is used or collected inappropriately. I am wondering would a private entity that provides that information that was used inappropriately have immunity from lawsuits from individuals or private parties that are affected by the inappropriate use of that information?
THE CHAIRMAN: They are only protected if it is cybersecurity or national security information, excuse me, cyberthreat information. So it has to be for cybersecurity protection purposes. Other than that, they are subject to all of the same laws and conditions. So if they collect it wrongly and use it incorrectly, all of that, they are subject to the same laws that they are today.
Q But ‑‑
MR. JAFFER: Last question.
THE CHAIRMAN: Well, thank you very much. I know it's been long. I am sorry about the technical difficulties on our end, but as we said before, please get ahold of us if you have any questions. We are eager to answer the misnomers out there, the purposes and goals, and I think the seriousness of protecting our Nation's Internet services so that it can be open and free and available to all. And so with that, we will hopefully talk to you all very soon.
[Whereupon, at 11:12 a.m., the teleconference was concluded.]