"If the Chinese are doing economic espionage to the point that it does strategic damage to this country, and we have the answer - the ability to block, mitigate or eliminate that threat - why aren't we putting those two together?" former vice admiral Mike McConnell, who ran the NSA during the first Clinton administration, said during an oil and gas cybersecurity event in west Houston. "We've never done it before."
At the American Petroleum Institute's ninth annual Cybersecurity Conference & Expo, McConnell said security agencies such as the NSA have collected data on troves of state-sponsored malware. But they have never shared it with the industries threatened by the advance of malicious computer codes aimed at spying on U.S. companies and stealing secrets, like banking, oil and gas and telecommunications sectors.
He said those industries need to urge Congress to pass two bills working their way through the House and Senate. Both bills would require authorities to divulge sensitive data, in a bid to protect infrastructure that moves oil and gas around the nation and machines that extract oil and make gasoline, among a litany of other critical assets.
"We must have a legislative framework to force this action," McConnell said. "There's a potential for extremist groups to do harm to the nation, and Congress diddles."
The House passed the proposed National Cybersecurity and Critical Infrastructure Protection Act earlier this year, and a Senate committee is working on another bill co-authored by Sen. Dianne Feinstein, D-Calif., called the Cybersecurity Information Sharing Act. Both require agencies to share information with private market players. But several similar bills have died in Congress, even as oil companies, banks and other firms have reported a growing threat from hackers.
More than half of the 200 or so cyberattacks reported in the first six months of 2013 to the Department of Homeland Security's industrial control systems emergency response team have targeted energy companies, according to the Oil and Natural Gas Information Sharing and Analysis Center, an industry group formed in June to analyze cyber-threats to oil and gas companies.
And economic espionage cases pursued by the FBI have more than doubled in the last 18 months, as foreign nations are becoming more aggressive in their attempts to steal U.S. technologies, said Chandra McMahon, vice president of commercial markets for defense contractor Lockheed Martin, during the conference.
China, McConnell said, is behind about 80 percent of the world's economic espionage, and most nations, apart from the United States, the United Kingdom and a handful of others, spy on others explicitly for economic gain. But while Fortune 100 companies have been increasingly tackling cyber-threats, smaller firms typically don't have the resources to build defenses, said Mark Weatherford, a principal at the Chertoff Group, who also spoke at the conference.
Big oil and gas companies have critical infrastructure in the Middle East, as well, making them more vulnerable to state-sponsored attacks, said Julian Waits, president and CEO of ThreatTrack Security, who attended the conference.
But Waits said he's skeptical Congress will make serious breakthroughs in sharing critical data with private companies because most legislators don't "understand enough about the problem." Such changes will require leadership from the NSA and other agencies, he said.
"Until there has been a breach large enough where it costs more jobs or costs more money, I just don't think our legislators, and more specifically the American public, will react to it," Waits said. "I don't think everything should be classified. Some things should be shared in the wild so vendors like myself can build protections for U.S. companies."
If the cybersecurity laws passed, it would be far easier to write insurance policies to protect against cyberattacks when companies share defense strategies with their peers and across industries, and getting access to federal data could mark a watershed moment in cross-pollination efforts, McConnell said.
U.S. companies have struggled to find insurance policies that cover cyberattacks, and only a fifth are covered for damages, leaving most exposed to huge financial losses if they're attacked. But the oil industry is expected to pay $1.9 billion on cybersecurity defense systems by 2018, according to data released earlier this year by ABI Research.
"If you get a phone call about a problem, it's too late," McConnell said. "We're going to have to tackle this problem at network speed. From Tokyo to New York, that's 30 milliseconds."
©2014 the Houston Chronicle