Congress still might get around to completing action this year on cybersecurity information-sharing legislation, but in the meantime the private sector and even the ponderous Department of Homeland Security are pressing ahead with their own initiatives.
Spies, thieves and terrorists in cyberspace leave behind telltale “indicators” of their activities. Cybersecurity experts envision a future in which information on threats is shared at “machine speed,” or in real time, allowing rapid responses that minimize the impact of attacks.
Sharing information manually “takes hours, if you’re lucky,” William Nelson, the president and CEO of the Financial Services Information Sharing and Analysis Center, said last week at an event sponsored by law firm Arent Fox. Nelson’s group has collaborated with DHS on a project that brings that down to seconds. Under this new process, “Our worst case is 10 minutes. One second is our best case.”
Homeland Security’s Gregory Touhill, a retired Air Force brigadier general, said the goal is to get it down to milliseconds. “I don’t want to declare success yet, but it’s looking very good,” Touhill said.
Nelson’s organization is adding 200 members a month, he said, and is active in 40 countries. Initiatives are sprouting in other sectors as well: The CEOs from 30 major power companies recently assumed direct control over the electricity sector’s version of the info-sharing body, Touhill said.
Related Story: http://www.washingtonexaminer.com/article/2575923
On Capitol Hill, staff discussions have begun on reconciling House and Senate-passed cyberbills that contain industry-sought liability protections for companies that choose to participate in information-sharing arrangements.
Final action in 2015 seems a long shot since lawmakers are in session for only four weeks before the end of the year. But wrapping up negotiations and approving the complex cyberlegislation in that time frame isn’t completely “crazy,” a Senate source said, noting that the House and Senate bills share the same goals and have many similarities.
There are plenty of differences too, which will require close attention from staffers and ultimately from lawmakers and the White House.
The issues to be resolved include the definition of “cyberthreat indicators” that can be shared between industry and government; whether this data must be shared through a “portal” at Homeland Security or can be shared directly with other entities like the FBI; and what standard must be met when it comes to removing personal information from the data.
Industry sources said they will be descending on congressional offices this week to press for tweaks to the legislation, and more importantly, to urge lawmakers to get the final measure to President Obama this year.
The administration has stressed that the president wants to sign an info-sharing bill into law, after threatening to veto earlier versions in previous years. But the White House will try to ensure that only a narrow type of information can be shared, that it must go through the DHS portal, and that industry faces a meaningful requirement to strip out personal information before sharing.
But “the biggest threat to personal information would be to do nothing,” Sen. Dianne Feinstein, D-Calif., a chief cosponsor of the Senate cyberbill, warned in a speech at the Arent Fox event. “Hardly a month goes by without a significant attack,” Feinstein said, pointing to major hacks on banks, retailers and the health and IT sectors over the past year.
“It’s only a matter of time before these attacks progress to our critical infrastructure,” Feinstein said. When that happens, “Thousands of lives will be in danger.”
A robust process of information sharing won’t prevent those attacks, Feinstein and other backers of the legislation acknowledge, but it could save many lives by quickly identifying cyberintrusions and allowing security professionals to respond.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
