Helping businesses defend against cyber threats
Analysts with the National Security Agency see the threats coming at corporate America: viruses, worms and other malware targeting the computer networks that serve the nation's banks, utilities and businesses.

But the 64-year-old law that established the modern U.S. intelligence community prevents them from sharing the classified details with the private businesses in the cross hairs.

"I'm really concerned that we will have some type of serious attack within the year," said Rep. C.A. Dutch Ruppersberger, who receives security briefings as the top-ranking Democrat on the House Intelligence Committee. "Air traffic control systems when the planes are flying. Grid systems for energy. Banks really concern me."

The Baltimore County Democrat and Mike Rogers, the Michigan Republican who chairs the committee, are co-sponsoring legislation that they say would begin to break down communication barriers between the nation's intelligence agencies and U.S. companies.

The bill would promote unprecedented cooperation between the government and the private sector by allowing the NSA and other federal agencies to pass classified information to vetted companies so they can defend against disruptions, destruction or the theft of trade secrets, business plans and private information about customers and employees.

But while many agree on the need for greater coordination against cyber threats, some express concern about the potential impact on civil liberties — from government agencies gaining access to personal details about private citizens to the possibility of an information clampdown as threat data is labeled secret.

Estimates of the impact of cyberattacks on the U.S. economy begin in the billions of dollars annually, and analysts say the costs are growing. Web-based attacks nearly doubled from 2009 to 2010, according to Symantec Corp. The cybersecurity giant also reported encountering more than 286 million unique variants of malware last year.

The overall threat level is difficult to measure. Private businesses don't always know when they have been hacked; when they do, they often prefer to keep the information to themselves.

But Peter Kilpe, creative director of the Baltimore security firm CyberPoint, calls the threat "huge."

"It's probably one of the most important issues facing businesses right now," he said. "We're more connected than we ever have been in any other time in our history, and we're more dependent on computers. That's everything from doing business on your PC to computers being part of life-sustaining infrastructure — power, water."

Rogers speaks of an "economic cyberwar" being waged against U.S. businesses by "economic predators, including nation-states." U.S. officials have identified Russia and China as the most aggressive countries.

But Ruppersberger says terrorists concern him the most.

"I don't think China's going to try to attack our energy systems or anything like that, because we owe them too much money," he said. "But al-Qaida and other extreme groups could hire some brilliant hackers — and they're all over the world — and pay them millions of dollars to make an attack."

The Cyber Intelligence Sharing and Protection Act of 2011, introduced Wednesday by Rogers and co-sponsored by Ruppersberger, is one of several proposals to address cybersecurity in the private sector.

But with strong bipartisan support — the measure cleared the Intelligence Committee on Thursday by a 17-1 vote — more than a year of consultation with the White House and the backing of several key Internet service providers and trade organizations, it might have the best chance of becoming law.

Critics say they recognize the need for better cybersecurity coordination between the government and the private sector, but they express concerns about the details.

Richard Forno, director of the graduate program in cybersecurity at the University of Maryland, Baltimore County, says a requirement in the bill that would require employees of private businesses to get security clearances to receive threat details would likely lead to more details being classified, which could impede the flow of information.

Forno also questions language that would appear to relieve companies of legal liability for vulnerabilities they have shared with the government. "That sounds like a giant get-out-of-jail-free card," he said.

Michelle Richardson, legislative counsel for the American Civil Liberties Union in Washington, says the bill could allow companies to share personal information about clients, customers and employees with the government.