Helping businesses defend against cyber threats
"When they report cyber incidents or want to share cyber information with the government, it should really be limited to technical data and only the information that's necessary to deal with the threat," she said. "We're concerned also that once it's in government hands, there's no use restriction. … It can be used in criminal cases, immigration enforcement or whatever."

Such objections recall criticism of the so-called warrantless wiretaps authorized by the Bush administration in an attempt to intercept communications by al-Qaida and other adversaries as part of the war on terror. The ACLU and the Electronic Frontier Foundation have sued the NSA and AT&T over the electronic eavesdropping program.

Ruppersberger says he shares concerns about civil liberties. At the urging of Ruppersberger and Rogers, the Intelligence Committee amended the bill to bar the government from searching data supplied by private companies for any purpose other than cybersecurity or the protection of national security.

The bill would not require private businesses to report cyber threat information to the government.

Ruppersberger says the legislation is aimed at improving communication about malware— "a bunch of ones and zeros that make up a computer code that will do bad things to your computer" — not personal information about individuals associated with a business. He describes the bill as a work in progress on an issue that demands immediate attention.

"We're getting attacked as we speak," he said. "It's getting worse and worse every day. I've made the analogy, if we knew that a country was sending a plane over to bomb us, we'd take it out."

He says the legislation should improve communication between the government and the Internet service providers that serve businesses and consumers — "the AT&Ts, the Verizons, the Qwests."

"NSA has this information, and they know that major companies are being attacked, but they're not allowed to pass classified information," he said. "Now you're saying, 'OK, providers, we are giving you the secret sauce. We're giving you the code so you can protect yourself.'"

The National Security Agency referred questions about current communication with the private sector to the Office of the Director of National Intelligence. That office did not respond to requests for comment.

Ruppersberger says the legislation builds on a pilot program that has allowed sharing between the NSA and selected defense contractors — and helped thwart hundreds of cyberattacks.

AT&T, IBM, Microsoft Corp. and Verizon have expressed support for the legislation, as have the U.S. Chamber of Commerce and several financial and communications industry associations.

"There is a critical role for government in securing cyberspace," said Walter B. McCormick Jr., president and CEO of the industry group USTelecom. The bill, he said, "sets forth a path that would enable government and network providers to better share information in real time."

Cyberattacks are a global challenge. In a heavily publicized recent case, a South Korean bank lost ATM and online banking service for several days in an attack this year and key financial information was destroyed. South Korean prosecutors blame North Korea.

Closer to home, a Hungarian pleaded guilty in federal court last week to transmitting malicious code to Marriott International Corp. and threatening to reveal confidential information about the company if he were not offered a job maintaining the network.

According to a plea agreement, Attila Nemeth, 26, sent the Bethesda-based hotel chain an email last year containing attachments that included confidential information that had been stored on company computers.

Nemeth acknowledged sending an infected email attachment to Marriott employees in order to install malicious software that gave him a back door into the network, according to a statement by the U.S. attorney for Maryland.

Ursula Powidzki, director of business development at the Maryland Department of Business and Economic Development, says large companies — financial institutions, insurance companies, retailers and supermarkets — know they are vulnerable.

"They have a lot of consumer data that is a very obvious target for criminal hackers," she said. "It's the small and mid-sized companies that don't fully realize how exposed they may be."

She speaks of a "very, very sophisticated" small-business owner in Maryland whose consulting website was hacked.

"They spent three days having to bring in outside people to help get the site back up," Powidzki said. "She had no idea why someone would do this or how they did it. They had to get up the learning curve very, very quickly."

Derek Gabbard, CEO of Lookingglass Cybersecurity in Baltimore, predicted that private companies would welcome more information from the government.

"Folks that are running threat intelligence teams in the private sector are dying for more data," he said. "They understand that the adversaries are sharing information."

But he says businesses might be skeptical about government intentions and be hesitant to divulge information.

Gabbard said intelligence officials "need to share and not expect anything back for quite a while, until the private sector is comfortable that the government really is a partner and not trying to use them as a sensor grid."

"One of the old mindsets that hopefully is changing is that government just wants to collect information without producing anything back," he said. "It's kind of a one-way transmission."