Cybersecurity is a jobs issue and thus deserves congressional attention,...

of all kinds, the report said: “Information stolen from U.S. databases equals jobs stolen from the U.S. economy,” including small businesses that are hacked and then find copies of their new products “flooding the market at cutrate prices from China within a few months.” That echoes accusations of Chinese hacking made at a House Intelligence Committee hearing Tuesday. The task force, composed of members of nine House committees and led by House Intelligence member Rep. Mac Thornberry, R-Texas, recommended Congress provide “voluntary incentives” for companies to improve cybersecurity, such as rewards for participating in cybersecurity standards development. Rewards could include “varying degrees of liability protections afforded to companies that voluntarily implement the enhanced security practices.” Congress and the White House should give companies subject to information-security regulations in multiple sectors, such as financial services and healthcare, one standard to meet that covers them all. Congress should consider extending tax credits to cyber investments, require minimum cybersecurity protection for federal grant eligibility, and evaluate the cybersecurity insurance market. The government should work with each sector to identify the truly “critical functions or facilities” and not impose regulation on “entire organizations,” and grant liability protection when computers of companies that follow standards are breached, the report said. The Department of Homeland Security should work with other regulators to coordinate standards across and within sectors subject to multiple regulators. The report recommends that Congress “facilitate” an external organization to “act as a clearing house of information and intelligence sharing” between government and critical infrastructure, so as to “detect and mitigate cyber attacks in real time before they reach their target.” The organization would take the government’s knowledge of “classified threat signatures” and combine it with threats known to businesses, so ISPs and other networks could block attacks, and information would be scrubbed of individuals’ “sensitive personally identifiable information” before the government gets it back. Congress would have to change some laws, give “narrowly targeted exceptions” and add lawsuit-liability protection, and possibly give an antitrust exemption, to let carriers share and act on cyber information, the report said. The task force recommended several actions on existing laws: (1) The Federal Information Security Management Act (FISMA) should focus on “secure, continuous, automated monitoring of IT systems rather than the current checklist exercise.” (2) Extend the definition of “protected computers” in the Computer Fraud and Abuse Act to critical infrastructures, “with attached criminal penalties.” (3) Various electronic communications laws need exemptions for sharing cybersecurity information, as well as “some sort of anonymous reporting mechanism” for companies to use so a cyber insurance market can function. (4) Computer fraud should be added to the definition of racketeering in federal law, and criminal penalties instituted for “intentional failures” to provide breach notification for sensitive personally identifiable information. The government needs to answer “difficult questions,” such as its responsibility or authority to defend a private business from cyberattack, how to deter “bad actors” online, the parameters for using intelligence-community information, and the military’s role. The task force raised several other issues that don’t fit neatly into its mandate, including encouraging U.S. ISPs to create a voluntary code of conduct as ISPs in Australia have done with its national “icode.” The report drew applause from USTelecom, CTIA, the Software and Information Industry Association, Information Technology Industry Council and others. Larry Clinton, president of the Internet Security Alliance, called the report “the most detailed and pragmatic public policy blueprint on cybersecurity any government entity has produced,” and largely consistent with the White House’s own cyber proposal. House Republican proposals on data breach notification, FISMA reform, liability protection and information sharing “provide momentum for much-needed legislation that should happen this year,” said Liesyl Franz, TechAmerica vice president of cybersecurity and global public policy.