CISPA isn't the only piece of cyber-security legislation that passed the House this week.

The Federal Information Security Management Act of 2013 updates the 2002 version of the federal IT security law, known as FISMA, by requiring government agencies to constantly monitor their computer networks for threats

Right now, FISMA requires government agencies to perform only yearly evaluations of cyber-threats and vulnerabilities. Yours truly can't tell you how many times I've heard cybersecurity experts say the current version of FISMA does nothing to stop fast-paced cyber threats; it's merely an exercise in checking off boxes.

As a statement released this week by Rep. Jim Langevin, co-chair of the Congressional Cyber Caucus says, "While the annual reports currently mandated under FISMA are supposed to give government executives overall insight into security management of their networks, this does not provide the minute-by-minute view into network security that is needed.

"It's just an out of date and slow process for examining security of government networks," a House staffer told Killer Apps. The new version of FISMA would mandate "continuous monitoring of networks and provide regular threat assessments."

Here's an excerpt from the Library of Congress' official summary of FISMA 2013, explaining the change in the reporting procedures:

Directs senior agency officials, with a frequency sufficient to support risk-based security decisions, to: (1) test and evaluate information security controls and techniques, and (2) conduct threat assessments by monitoring information systems and identifying potential system vulnerabilities. (Current law requires only periodic testing and evaluation.)

Directs agencies to collaborate with OMB [the Office of Management and Budget] and appropriate public and private sector security operations centers on security incidents that extend beyond the control of an agency. Requires that security incidents be reported, through an automated and continuous monitoring capability, when possible, to the federal information security incident center, appropriate security operations centers, and agency Inspector General.

The House also passed the Cybersecurity Enhancement Act which requires the National Science Foundation, the National Institute of Standards and Technology, and "other key federal agencies" to develop a strategic plan for federal cybersecurity research and development work, with a focus on securing industrial-control systems and developing advanced protections for personal information online. (Remember, the Stuxnet virus that destroyed thousands of Iranian uranium-enrichment centrifuges targeted the machines' industrial-control computers.)

The second bill also calls for the establishment of a "Scholarship for Service" program meant to cultivate a highly-skilled government cybersecurity workforce, and it requires the president to send a report to Congress on the government's current and future cybersecurity workforce needs.

This didn't take long. Cyber criminals have begun exploiting the Boston Marathon bombings to spread malware.

That's right, hackers are sending out a spam email labeled "Boston Marathon Explosion" in the subject line, according to a brand new FBI warning. The email contains a link to a website showing a series of photos of the attack site. At the bottom of the page there's an unloaded video that directs to "the Red Exploit Kit," according to the warning.

FP staffers have actually recieved several similar emails titled, "2 Explosions at Boston Marathon" and "Texas Plant Explosion".

The Red Exploit Kit is a new hacking tool that allows criminals to surreptitiously find security vulnerabilities in a victim's computer and upload malicious software through those vulnerabilities. "Once an exploit has been successful, the user sees a popup asking them to download a file, at which time the malware is downloaded," the warning says.

Once in, the hackers may look for personal information about their victims, according to the FBI. Personal information could include anything from bank account numbers to website passwords.

The FBI's announcement goes on to warn against fake charity Twitter accounts soliciting donations for victims of the attacks: "According to various reports, a Twitter account was created soon after the explosions that resembled a legitimate Boston Marathon account. Allegedly, for every tweet received to the account a dollar would be donated to the Boston Marathon victims."

The warning goes on to say that, while that account has been suspended, other fraudulent accounts may be set up. "The FBI was made aware of at least 125 questionable domains registered within hours of the Boston Marathon Explosions. Though the intentions of the registrants are unknown, domains have emerged following other disasters for fraudulent purposes."

Here are the FBI's recommendations for avoiding marathon bombing-related online scams.

Individuals can limit exposure to cyber criminals by taking the following preventative actions when using email and social networking Web sites.

• Messages may contain pictures, videos, and other attachments designed to infect your computer with malware. Do not agree to download software to view content.
• Links appearing as legitimate sites (example: fbi.gov), could be hyperlinked to direct victims to another Web site when clicked. These sites may be designed to infect your computer with malware or solicit personal information. Do not follow a link to a Web site; go directly to the Web site by entering the legitimate site's URL.

Individuals can also limit exposure to cyber criminals by taking the following preventative actions when receiving solicitations from, or donating to, charitable organizations online.

• Verify the existence and legitimacy of organizations by conducting research and visiting official Web sites. Be skeptical of charity names similar to but not exactly the same as reputable charities.
• Do not allow others to make the donation on your behalf. Donation-themed messages may also contain links to Web sites designed to solicit personal information, which is routed to a cyber criminal.
• Make donations securely by using debit/credit card or write a check made out to the specific charity. Be skeptical of making donations via money transfer services as legitimate charities do not normally solicit donations using this method of payment.

Ever thought the term C4ISR was acronym overkill? Well, here's another doozy. The Air Force's fiscal year 2014 budget request includes $11.3 million to develop tools to do, wait for it, "D5."

D5 stands for "deceive, degrade, deny, disrupt, destroy." No, it's not something an awful child does on the playground; it's what the service wants its cyberweapons to do enemy networks.

Offensive cyber-technologies are being built to allow Air Force cyber operators to secretly infiltrate enemy networks, stay there undetected, steal information, watch what the enemy is doing, resist reverse-engineering should it be discovered, and wreak D5 havoc (cue action-movie music).

Here's what the service's program has achieved so far, as described by the Air Force's budget request:

• Developed information system access methods and propagation techniques.

• Developed stealth and persistence technologies and initiated investigation into anti-reverse engineering methods.

• Developed the capability to exfiltrate information from adversary information systems, developed methods for increased cyber situational awareness and understanding of the battlefield, and developed methods for covert data exchange.

• Developed technology to deliver D5 (deceive, degrade, deny, disrupt, destroy) effects in concert with cyber platforms.

• Initiated development of a publish/subscribe architecture for exchange and exfiltration of information while operating within adversary information systems.

What's left to work on in 2014 besides continuing to develop the capabilities listed above? Start developing a "common operating platform" -- the actual computer interface that will allow Air Force cyber-troops to do all of the above.

By now, everyone is familiar with Distributed Denial of Service attacks -- the relatively primitive cyberattack that takes down a website by flooding it with visits. Well, there's a new denial of service trend that takes advantage of VoIP technology to target phone lines instead of websites.

Last month, the Department of Homeland Security and the FBI issued a confidential warning to first responders, warning that hackers may try to flood emergency call centers with phone calls, overwhelming them and preventing legitimate calls from getting through. Instead of a DDOS attack, it's called a Telephony Denial of Service (TDOS), attack.

Dozens of attacks in "multiple jurisdictions" have targeted these public safety lines -- which are not the same as 911 lines -- according to the DHS-FBI announcement, a copy of which was put online this week by cybersecurity researcher, Brian Krebs.

"These attacks are ongoing. Many similar attacks have occurred targeting various businesses and public entities, including the financial sector and other public emergency operations interests, including air ambulance, ambulance and hospital communications," reads the March 16 bulletin, which was for immediate dissemination to "public safety answering points and emergency communications centers and personnel." The FBI's Internet Crime Complaint Center issued a little-noticed warning about TDOS attacks in January.

The DHS-FBI announcement describes the wave of attacks as part of an extortion scheme whereby an individual -- who usually speaks with a thick accent -- calls an organization and asks to speak with a current or former employee and then demands collection of a $5,000 payday loan. When the victim tells the caller to get lost and hangs up, the attackers launch the TDOS attack using hacked VoIP automated dialing systems to flood the call center.

"The organization will be inundated with a continuous stream of calls for an unspecified, but lengthy period of time," reads the bulletin. "The attack can prevent both incoming and/or outgoing calls from being completed." The attacks can continue intermittently over weeks or even months.

TDOS attacks are meant to intimidate victims by flooding their employers with debilitating phone calls. Sometimes those employers happen to be emergency call centers. But the bulletin also says, "It is speculated that government offices/emergency services are being ‘targeted' because of the necessity of functional phone lines."

In another variant of this extortion scheme, perpetrators claim that an arrest warrant has been issued for the victim's failure to pay the loan. "In order to have the police actually respond to the victim's residence, the subject places repeated, harassing calls to the local police department while spoofing the victim's telephone number," the January notice said.

I'm no extortionist, but aren't there plenty of ways to shake someone down without bringing first responders into the mix? What could possibly go wrong for the criminals there?

We've heard plenty of civil liberties advocates object to the Cybersecurity Intelligence Sharing and Protection Act (CISPA), claiming the bill harms privacy rights. However, one group opposed to the act argues that it actually allows businesses to commit the very behavior it aims to curb -- that is, it allows them to hack the computers of anyone they believe is hacking them.

"CISPA says that a company gets immunity for any decisions made based on cyber-threat information that they receive under the bill and based on cyber-threat information that they identify and obtain using cybersecurity systems," Greg Nojeim of the Center for Democracy and Technology told reporters in Washington this morning.

This is where Nojeim worries that the bill could permit an increase in hacking.

"What if one's decision in response to the receipt of cyber-threat information from someone you think is a bad guy is to render the sending computer inoperative?" asked Nojeim. "That's certainly within the scope of the legislation and would be completely immunized."

As Nojeim and his colleagues at CDT read it, CISPA could allow businesses that think they had discovered a hacker to hit back or, hack back, against malicious actors in cyberspace  -- an action frequently referred to as active defense. (Yours truly has heard this topic debated plenty of times between lawyers who are against it and businesses who want to be able to defend themselves aggressively in cyberspace.)

CDT wants the bill's language tweaked to prohibit this behavior.

"What the bill does not say is, in looking for cyber threat information you can examine only your own network," said Nojeim. "If you think the cyber threat information is on somebody else's computer or on somebody else's network, you have authority, notwithstanding any law, to go get it . . . and immunity when you do." 

Killer Apps reached out to one of the bill's sponsors, House intelligence committee chairman Mike Rogers, and one of his committee staffers told us that authorizing companies to strike back at hackers "was not the chairman's intent." Rogers "intends to address this issue in committee markup" by adding language specifying that the bill does not authorize businesses to break into other people's networks. 

Rogers and the bill's co-sponsor, Rep. Dutch Ruppersburger, have insisted that they are working with the White House, privacy advocates, and businesses to address their concerns.

"We want to make sure that we meet the level of privacy concerns, and we think we can do that by working in some very direct language that expresses, in language, what we believe the bill already does but we want to reiterate that," said Rogers last week when announcing that the bill will come up for a committee vote this month.

As it's currently written, the bill specifically says that businesses can receive immunity from prosecution "for using cybersecurity systems to identify or obtain cyber threat information or for sharing such information in accordance with this section; or for decisions made based on cyber threat information identified, obtained or shared under this section."

"That authorizes hacking that would otherwise be a crime under current law, it authorizes cybersecurity criminal acts that are described in this very bill," he added. "The last place one would think you would find new authority to hack would be in cybersecurity legislation, but there it is."

Here's what Rogers said in December when asked how he felt about private entities fighting back against hackers.

"It's best not to go punch your neighbor in the face before you hit the weight room," said Rogers, in a warning to both public and private sector actors that are considering offensive actions to defend their networks under the growing trend of "active defense."

Government organizations and businesses are still figuring out the best way to defend themselves from advanced cyber threats. But, said Rogers, "until we have figured out how we will defend ourselves and our networks, I would be very, very, very cautious about using an offensive capability."

The lawmaker, speaking at an event at The George Washington University, added: "Now, you can't do a good defense if you don't develop the capability for offense...so I completely agree with [building offensive power]. I'm just very concerned about engaging [in offense] before we have the ability to defend ourselves because, guess what, something's coming back" to hit us.

Expect to see Congress take up legislation to punish nations and people that back global intellectual property theft and industrial espionage, House intelligence committee chairman Mike Rogers said today. Such legislation could revoke visas of those involved in economic espionage or sanction countries that back such behavior.

Such actions would punish "nation-states that steal intellectual property and repurpose it for government companies to illegally compete in the market," Rogers told reporters after a breakfast in Washington, alluding to Chinese intellectual property theft. "That's something I'm working on, and we've got some great bipartisan support on this and great bicameral support, and we'll have an announcement on this soon."

He added that legislation to punish countries engaged in economic espionage will not be included latest version of CISPA, set to be voted on next month, but rather it will be "announced and ready sometime this year."

He hinted that the legislation could also punish people who knowingly do business with foreign entities that rely on intellectual property theft for their business model.

"I steal from your house, and I come to [another person's house] and try to sell it, it is both a crime for me to steal it and a crime for you to take stolen property. This should be no different. The only difference is, the value of it is exponentially bigger," said Rogers, a former FBI agent.

Early last month, Rogers said the U.S. must do more to confront China on its state-backed economic espionage campaigns.

"We need direct talks with China and it needs to be at the top of a bilateral discussion about cyber espionage," Rogers told Killer Apps on Feb. 13. "This is a problem of epic proportions here, and they need to be called on the carpet. There has been absolutely no consequences for what they have been able to steal and repurpose to date." Rogers suggested that the U.S. implement trade sanctions and identify "individuals who participate in this, go after their visas, go after family travel, all of the levers we have at the Department of State. The problem is that bad."

Last month the White House unveiled its strategy to combat the international theft of intellectual property and trade secrets. This effort is focused on international law enforcement efforts to catch IP thieves and diplomatic cooperation aimed at curbing state-backed theft of trade secrets.

In case you haven't been following it, the Twitter traffic from today's Cyber Dialogue 2013 at the University of Toronto's Munk School of Global Affairs featured a great quote from a recently retired Canadian general.

Lt. Gen. Andrew Leslie (chief of the Canadian Army from 2006 to 2010, shown above in 2009) apparently made a comment that yours truly has heard plenty of times in Washington: a major, destructive cyber attack would likely prompt a knee-jerk reaction from governments that greatly expanded their control of the Internet. Killer Apps wasn't at the event to hear the quote directly, but here's what people who were at the event tweeted about it.

Taylor Owen, research director at Columbia University's Tow Center for Digital Journalism, tweeted that the general's comments sent "a chill over" the conference:

 "@taylor_owen wow, Andy Leslie sends a chill over cyberdialogue "You are all running out of time before 'people like me' try to govern cyberspace #cd13"

Scott Carpenter of Google Ideas called the Canadian general's comment "a weird threat":

 "@JSCarpenter11 Weird threat from a former general: "you're running out if time" b/c once "something bad" happens in cyber gov't will assert control #cd13"

Finally, Richard Bejtlich, chief security officer at cyber firm Mandiant, tweeted:

 "@taosecurity At #CD13 retired Canadian general warns "you're running out if time" because once "something bad" happens in cyber, gov will assert control."

It's interesting to see cyber professionals from some of the foremost institutions in tech, business, and journalism express surprise over Leslie's comments. U.S. lawmakers have made similar comments throughout the last year in trying to pass cyber security legislation.

Reps. Mike Rogers and Dutch Ruppersburger -- co-sponsors of CISPA, the cyber security bill currently being worked on in the House -- have used this argument several times in an attempt to push lawmakers to adopt their bill, which civil liberties advocates say is harmful to individual privacy rights.

Last summer, James Lewis of the Center for Strategic and International Studies warned that a destructive cyber attack will likely result in Congress passing legislation that runs roughshod over privacy rights.

Army Gen. Keith Alexander, head of United States Cyber Command, dropped several interesting nuggets about the military's cyber forces during a Senate Armed Services Committee hearing today.

First off, the command is fielding 13 offensive cyber teams that are tasked with deterring destructive cyber attacks against the United States. While Alexander said these are offensive teams, he insisted their role is defensive: "Let me be clear, this defend-the-nation team is not a defensive team, this is an offensive team that the Department of Defense would use to defend the nation if it were attacked in cyberspace."

If you have trouble making sense of that, you're not alone. After the hearing, Alexander compared the teams to missile defenses. (Click here to read some of the Defense Science Board's recent suggestions for deterring destructive cyber attacks with some pretty offensive weaponry.)

"We are already developing the teams that we need, the tactics, techniques, and procedures and the doctrine for how these teams would be employed, with a focus on defending the nation in cyberspace," said Alexander in his opening statement.

In addition, the command is developing 27 teams that will provide assistance in planning offensive cyber operations to the regional combatant commands -- the military organizations around the globe that are tasked with actually fighting wars.

Finally, the command is organizing a number of teams, Alexander didn't say how many, aimed at defending the military's networks against cyber attacks.

"Those three sets of teams are the core construct for what we're working with the services to develop our cyber cadre," said Alexander. "The key here is training our folks to the highest standard possible."

One third of these teams will be stood up by September 2013, the second third in late 2014, and the final third will be in place a year after that, he told lawmakers. 

The Army four-star also said in his written statement that in addition to 917 troops and civilians at Cyber Command headquarters in Maryland (with a budget for FY13 of $191 million), there are more than 11,000 people from all four armed services working cyber issues for the command. (Click here for Killer Apps' recent look at the total expected number of cyber troops in the U.S. military. The numbers we saw were a lot higher than 11,000.)

Alexander's testimony comes as Defense Secretary Chuck Hagel is looking at whether or not to elevate Cyber Command to a full-unified command. Cyber Command currently reports to U.S. Strategic Command.

Later in the hearing Alexander said he agreed with Sen. Lindsey Graham's (R-SC) statement that a major cyber attack that devastated the U.S. power grid would do "as much or more damage" as the 9/11 terrorist attacks. On the other end of the spectrum, Alexander said that the denial of service attacks like the ones suffered by major U.S. banks last fall are best dealt with by Internet Service Providers, not the government. He went on to say that in addition to the Obama administration's recent cyber security executive order, legislation is needed to allow private businesses to share information about cyber attacks they are suffering in real time with the U.S. government.

Also today, the U.S. Intelligence Community released its annual World Wide Threat Assessment, featuring cyber at the top of the list, ahead of terrorism. However, U.S. Director of National Intelligence James Clapper told lawmakers today when unveiling the assessment that the risk of major destructive cyber attacks against the U.S. by a major cyber player like Russia or China "is remote." Remember, Russia and China are the two powers most frequently cited as being able to execute a catastrophic destructive attack against the U.S. Still, many would point out these countries have little interest in doing so.

Killer Apps was lucky enough to have a short email Q and A with Air Force General C. Robert Kehler, chief of U.S. Strategic Command. Remember, in this role he's not only in charge of the nation's nuclear forces, he's also the military's top cyber officer since U.S. Cyber Command falls under STRATCOM.

It's worth pointing out that he's been dealing with cyber professionally for almost a decade. Before taking over STRATCOM in 2011, Kehler led Air Force Space Command when it stood up the service's cyber fighting unit, 24th Air Force, with more than 14,000 airmen in 2009. From 2005 to 2007, he served as deputy commander of U.S. Strategic Command where he helped oversee, among other things, the U.S. military's network warfare operations -- the term for what would later be called cyber operations.

Here's what he has to say about cyber threats, the idea of cyber deterrence, the cyber budget, and whether or not Cyber Command will become an independent combatant command:

Killer Apps: What worries you the most in cyber, what keeps you up at night?

Kehler: The possibilities of disruption or damage to the nation's critical infrastructure, our economy, and our military capabilities from cyber-attack or cyber-espionage are of great concern.

The greatest cyber threat we face as a nation is the catastrophic failure of systems and networks supporting critical infrastructure for national security or public safety. The uncertainties in the full capabilities of potential adversaries along with the requirement to rapidly characterize an attack when coupled with the speed at which a potential adversary can carry out that attack concern me.

Killer Apps: How are the sequester, the continuing resolution, and general budget concerns impacting cyber forces?

Kehler: The continuing resolution will have the largest impact to US Cyber Command in the areas of workforce growth and cyber situational awareness. The Department was primed to begin an aggressive increase in the size and training of the workforce to provide full spectrum cyber capability. The CR impacts this effort. Compounding this effect, sequestration will result in the furlough of more than 400 civilian workers at US Cyber Command. One of the key capabilities required to defend our networks is timely and comprehensive cyber situational awareness. The FY13 budget provided funds to begin development of a common operational picture to support cyber situational awareness for all the Services and Combatant Commands. This effort will also be delayed. 

Killer Apps: Is there any update on the decision to elevate Cyber Command to a full unified command?

Kehler: The Joint Staff has been examining different command options, including maintaining the status quo. These different options will be presented to the Secretary of Defense for review and decision on whether to recommend a change to the President.

Killer Apps: Is doctrine of cyber deterrence emerging?

Kehler: We are working hard to enhance the protection and resilience of our networks as we increase the capacity and capability of our cyber operational forces.

Together we believe these steps will enhance our overall deterrence posture by convincing adversaries they cannot achieve their objectives and will run the risk of unacceptable US response at the time, place, and via the domain of our choosing. It is in the best interests of all nations to recognize our common dependence on free access to and use of cyberspace, and to behave accordingly. Finally, we are working to improve our ability to detect and attribute hostile action in cyberspace.

Think you knew all there was to know about Stuxnet, the worm that was discovered in 2010 to have destroyed thousands of uranium enrichment centrifuges at Iran's Natanz nuclear facility? Think again. It appears that an early version of the worm was attacking Iran's nuclear program years before the version that made headlines in 2010 was unleashed, according to a new report by the IT Security firm Symantec.

Dubbed Stuxnet 0.5, the early version of the worm attacked Iran's nuclear program by closing valves that allowed uranium hexafloride gas (UF6) to flow into the centrifuges at Natanz, according to Symantec. Cutting off the flow of UF6 would, in theory, damage the centrifuges. (Click here for a primer on gas centrifuges.)

This apparently didn't work as well as Stuxnet's designers wanted it to and we saw later versions of the worm that famously caused the centrifuges to spin out of control -- thereby destroying them. Stuxnet 0.5 was under development as early as November 2005 and in the wild by November 2007 with orders to shut down by July 2009 -- the year that the version aimed at causing the centrifuges to spin out of control was developed, according to Symantec.

"The earliest known variant of Stuxnet was version 1.001 created in 2009. That is, until now," reads a Symantec blog post accompanying the report.

Remember, Stuxnet was reportedly the work of a U.S.-led cyber campaign against Iran known as Operation Olympic Games. At the time of its discovery the worm was considered to be one of the most advanced cyber weapons ever fielded. The worm reportedly took an unprecedented amount of time, expertise, and money to create.

As a Symantec blog post says, "Stuxnet proved that malicious programs executing in the cyber world could successfully impact critical national infrastructure."

The malware was designed to worm its way (See what I did there?) harmlessly around the globe until it found its precise target, the Siemens-made programmable logic control (PLC) computers that ran the centrifuges at Natanz. Once there, it attacked. You know the rest.

Some cybersecurity experts fear that cyberweapons like Stuxnet can be revers- engineered and used against their creators or sold on the ever-growing black market for cyber weapons.

"The difference between traditional weapons and cyber weapons is that it's not possible to [re]assemble a cruise missile after it has been used," said cyber security expert Eugene Kaspersky last September in Washington. "Cyber weapons are different" because the victims "can learn from" weapons used against them.

As another cyber security expert told Killer Apps last fall:

Because uranium centrifuges and power turbines are both spinning machines, "the attack is identical -- the one to take out the centrifuges and the one to take out our power systems is the same attack."

"If a centrifuge running at the wrong speed can blow apart" so can a power generator, said the expert. "If you do, in fact, spin them at the wrong speeds, you can blow up any rotating device."

These new revelations are unlikely to assuage such fears.

The U.S. government has and will continue to confront senior Chinese government officials "at the highest levels" about the massive amounts of cyber theft and espionage being committed against the United States by Chinese hackers, a senior White House official said today.

"We have repeatedly raised our concerns at the highest levels about cyber theft with senior Chinese officials, including in the military, and we will continue to do so," said the official in a statement emailed to Killer Apps Monday morning in reaction to cyber security firm Mandiant's new report detailing the exploits of a Chinese government cyber espionage unit.

"The United States has substantial and growing concerns about the threats to U.S. economic and national security posed by cyber intrusions, including the theft of commercial information," said the official, whose comments come a week after the White House introduced its cyber security executive order aimed at protecting critical infrastructure providers -- a relatively small group of banks, transport firms, energy companies, defense contractors and communications providers -- from crippling cyber attacks that would impact large numbers of Americans. The Pentagon is famously bolstering its offensive cyber capabilities in an effort to deter destructive cyber attacks against the United States.

The news of Mandiant's findings, first reported by the New York Times, also comes a week after Rep. Mike Rogers (R-Mich.), chairman of the House intelligence committee, called on the United States to confront China on its reportedly widespread cyber theft and espionage campaign against U.S. government and businesses. (Click here to read Killer Apps's recent interview with Mandiant's chief security officer on China's massive espionage campaign.)

"We need direct talks with China, and it needs to be at the top of a bilateral discussion about cyber espionage," Rogers told Killer Apps after a speech at the Center for Strategic and International Studies Wednesday. "This is a problem of epic proportions here and they need to be called on the carpet. There has been absolutely no consequences for what they have been able to steal and repurpose to date."

Rogers suggested that the United States begin implementing trade sanctions and "identifying individuals who participate in this, go after their visas, go after family travel -- all of the levers we have at the Department of State. The problem is that bad.

White House officials have repeatedly declined to discuss the specific steps they are considering taking to counter Chinese cyber aggression.

The United States is reportedly preparing a National Intelligence Estimate detailing Chinese cyber attacks against U.S. interests.Last year, Rogers's committee urged U.S. companies not to deal with Chinese telecommunications firms Huawei and ZTE, accusing the two of spying on U.S. businesses for the Chinese government. Also last year, U.S. Army Gen. Keith Alexander, head of U.S. Cyber Command and the National Security Agency called cyber crime "the greatest transfer of wealth in history."

The White House official went on to call for the United States and China to "continue a sustained, meaningful dialogue and work together to develop an understanding of acceptable behavior in cyberspace."

The effort to establish international rules of the road, or norms of behavior, in cyberspace based on the law of armed conflict is a tricky process that may take decades to flesh out, U.S. officials have repeatedly said. 

The leaders of the House intelligence committee say they are working with the White House to ensure passage of the Cyber Intelligence Sharing and Protection Act, which fell to a presidential veto threat last year but which Chairman Mike Rogers' (R-Mich.) reintroduced yesterday.

The bill would establish rapid information-sharing about cyber threats between private businesses and the government. Last year, the White House threatened to veto it over concerns from privacy groups that the bill gave the government too much authority to view people's online activities without a warrant.

"We were working with the White House for one year, and we thought everything was going to be fine," Dutch Ruppersburger, the committee's ranking member, said yesterday in a joint appearance with Rogers. "Fifteen minutes before we went to the rules committee, we received a phone call that the president was going to veto our bill."

"We've resolved all that," he added. "We're working with the White House as of today. Mike [Rogers] and I talked with the national security advisor [Tom] Donilon and the White House is now working with us to ensure that somehow, some way, we get a bill."

Rogers was a little more cautious, telling reporters yesterday that White House "does not endorse the bill" as it stands right now and that negotiations over its contents are ongoing. "They want to see changes in the bill, but that's a long way from where we used to be," said Rogers. "We're actually having a dialogue on how the bill moves through, I welcome that, that's a good thing." 

Ruppersburger and Rogers repeatedly emphasized during a Capitol Hill hearing today that the bill will not infringe on privacy, and that CISPA only authorizes the government and private companies to share digital threat signatures, "ones and zeros" that make up packets carrying malware.

It does not allow the government to not "monitor your computer, read your email, tweets or Facebook posts," Ruppersburger said yesterday.

The two lawmakers also said they are committed to working with privacy advocates on the bill.

Finally. President Barack Obama signed the long-awaited executive order on cyber security today. As expected, the order expands information-sharing programs between the government and private sector and establishes voluntary cyber security best practices for critical infrastructure providers -- though the administration plans to use its leverage to strongly encourage compliance.

One of the order's main provisions calls for the National Institutes of Standards and Technology to work with the private sector to identify a set of cyber security best practices that can be turned into a "Cybersecurity Framework" that critical infrastructure firms would use to ensure they are defended against cyber attack. A senior administration official said this afternoon that this framework, due one year from today, "is not designed to be a one size fits all approach" and will "not lock in specific technology or approaches."

NIST and other government agencies will work with businesses that have proven to be the best at cyber security to help develop these practices. "We believe that companies driving cyber security innovations are really in the best place to help us push out best practices across more of the critical infrastructure and companies would have a lot of flexibility in determining how to do so," said the official. "This is about taking the existing best practices and spreading them out to as many of the critical infrastructure companies as we can."

The Department of Homeland Security will form an organization to push out these standards to critical infrastructure providers. DHS, DoD and other government agencies will develop incentives, in collaboration with the private sector, to coax critical infrastructure companies into adhering to those standards, since they are officially voluntary.

"There's a whole range of " incentives that have been suggested, added the official, mentioning the recommendations of the Commission for Cyber Security and the 44^th Presidency as some examples.

Possible incentives could include government contracts, according to the official. Government agencies have 120 days from now to come up with these incentives.

In addition to the incentives, the order also has "teeth," according to the official. It calls for federal agencies to review their regulations for industries they oversee to make sure they apply to cyber security. If critical infrastructure providers don't live up to the minimal best practices that emerge in the Cybersecurity Framework, the agencies could find a way to make them.

"It makes business sense to [adopt these practices] in a lot of cases, and that's something that a lot of businesses are starting to understand," said the official. "What we want to make sure of with our direction to our federal regulators is that, if for some reason that market signal isn't getting through as clearly or as loudly as we would like, that there's the backstop of the federal regulators to make sure those companies that are in this critical infrastructure [sector] . . . are really putting into the baseline levels of cyber security."

In other words, the administration believes the market will demand better cyber security, and it is going to provide incentives to encourage better practices. But if those approaches don't work, it will use its regulating power to ensure that various critical infrastructure businesses adhere to minimal standards, added the official.

"We're giving multiple avenues for either incentives to be created in the voluntary program and for market forces to work, but we're also putting in place the ability and the direction for the regulators to use their existing authority, if needed" to make sure critical infrastructure businesses adhere to minimal standards, said the official.

The order defines critical infrastructure providers as company and organizations with "systems and assets, whether physical or virtual, so vital to the United States that the incapacity of destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." The senior administration official said the White House expects this to amount to a very small number of private businesses.

The order also calls for increased information sharing about cyber threats between government agencies like the Defense Department, the Department of Justice, the Intelligence Community, the Department of Homeland Security. One of the ways this will be done is by expanding the Pentagons DIB Pilot program (click here to read all about that), which allows the government to rapidly share information on cyber threats aimed at defense contractors with those companies.

As expected, DHS will have the lead on information sharing and is required to come up with a plan to ensure that civil liberties are protected. The order does not provide liability protections for companies that improperly share private citizens' information with the government or that violate antitrust laws in the course of sharing information. Those issues will have to be addressed by cyber security legislation, said the official. The order also calls for an expansion in the number of critical infrastructure workers who may receive classified briefings on cyber threats.

White House officials today said the information shared under the executive order would be specific digital threat signatures -- strings of ones and zeros -- that can identify pieces of malware aimed at critical infrastructure providers, not the contents of peoples' email. Click here to read more about the type of information that the government would share with critical infrastructure providers. The order calls for numerous privacy protections and reviews when information is shared to make sure that information about private citizens or companies is not inappropriately used. The privacy protections involved "will be based upon the Fair Information Practice Principles," reads the document.

Here's a copy of the executive order:

White House Cybersecurity Executive Order 

Rep. Jim Langevin (D-RI), co-chair of the Congressional Cyber Caucus, just released the text of a letter he sent President Barack Obama, urging him to discuss cyber security in his State of the Union address next week. Langevin doesn't specify what he wants the president to say other than "I hope that you will take the unique opportunity afforded by your State of the Union address to galvanize both Congress and the public to demand immediate action to secure out country's cyberspace."

Keep in mind that the White House is famously working an executive order that is believed to contain minimum IT security standards for banks, energy companies, transportation firms, and other so-called critical infrastructure providers in the wake of Congress's repeated failures to pass cyber security legislation last year.

This comes just after a New York Times report saying that the White House has decided it can conduct preemptive cyber strikes if it thinks such actions will stave off a major cyber attack that could seriously damage the United States. Last October, Defense Secretary Leon Panetta said the Defense Department is prepared to conduct this type of aggressive defense.

Here's the text of Langevin's letter:

February 5, 2013

The Honorable Barack Obama

President of the United States

The White House

1600 Pennsylvania Avenue NW

Washington, D.C. 20500

Dear Mr. President:

Congratulations on your inauguration for a second term. As your State of the Union address now approaches, I would like to thank you for your efforts to improve our nation's cybersecurity in your first term. From increasing the amount and quality of the data shared among federal agencies and the private sector to elucidating clear policy guidelines for trusted identities in cyberspace and cyberwarfare, your administration has truly made protecting American citizens and American interests a national priority.

Unfortunately, the scope of the challenge has only increased. The same American ingenuity that allows our businesses to be world-leaders in information technology also exposes us to a host of new threats. Defense Secretary Panetta, speaking to the Business Executives for National Security, described the current state of cyber-affairs as "a pre-9/11 moment." Attacks against our defense industrial base, our financial services infrastructure, our free press, and even our own government networks are a daily occurrence. While none have yet caused the destruction on the scope of 9/11, the potential for such a disaster is real, and it is growing.

Combating this threat is a pressing priority. As the co-founder of the Congressional Cybersecurity Caucus, I work to inform my colleagues of the inadequacy of existing legislation to secure the domain, and I have appreciated your administration's efforts to highlight the immediacy of our need. I hope that you will take the unique opportunity afforded by your State of the Union address to galvanize both Congress and the public to demand immediate action to secure our country's cyberspace. While I trust that you will use every existing avenue of executive power to improve our capabilities in this realm, our current laws simply do not reflect the amazing technological advances (and the accompanying challenges) that have been made since their enactment.

I was privileged to serve as the Co-chair of the Commission on Cybersecurity for the 44th Presidency, which presented you with a series of recommendations when you first took office. Your actions in your first term have made it abundantly clear that you have embraced the need for a comprehensive cybersecurity strategy, and I look forward to working with you to expand and implement this strategy throughout the coming session.

Sincerely,

Jim Langevin

Member of Congress