Boosting Cybersecurity

The nation’s largest chemical maker is urging Congress to give companies immunity from civil and criminal liability on data exchanges that prevent the federal government and the private sector from sharing information about legitimate cyber threats.

“Large companies such as Dow are seeing an increase in the risks we face” from cyber criminals, Dow Chemical’s chief information officer, David E. Kepler, told a joint meeting of two Senate committees on March 7. Chemical companies regularly have to defend against information security threats, including corporate espionage and the theft of intellectual property, he said (C&EN, March 4, page 12). Over the past five years, Congress has struggled to reach consensus on how to boost the nation’s cybersecurity. To help fill the void, President Barack Obama issued an executive order last month that aims to improve communication between the government and private companies and establish voluntary security standards.

But Administration officials acknowledge that there are limits to what they can accomplish without action by Congress. The executive order “does not grant new regulatory authority or establish additional incentives for participation in a voluntary program,” Homeland Security Secretary Janet Napolitano said at the ­hearing.

Napolitano called for legislation that would expand cyber-threat information-sharing capabilities and give U.S. law enforcement agencies new tools to fight crime in the digital age.

Although many companies have developed information security defense strategies as the threat has grown in recent years, Kepler agreed that legislation is necessary to strengthen collaboration between the public and private sectors.

“I think there is a cultural issue with information sharing,” he remarked. “Government doesn’t want to share it, and business doesn’t want to share it. We have to create an environment where we can share key information about these critical threats.”

Cyber information-sharing legislation must include liability protection for businesses that share “early threat or attack information” with the government, Kepler said. Data voluntarily provided by the private sector should also be “adequately protected” from public disclosure through Freedom of Information Act requests, he told the senators.

Kepler pointed out that companies are also reluctant to share information with each other, fearing they will violate antitrust laws.