A late-winter storm wiped out a couple of cybersecurity hearings on Capitol Hill, but legislative efforts are gathering steam and the first payoff could be seen this week.
The Senate Intelligence Committee may advance a bill setting terms for sharing cyberthreat indicators between the government and private sector, and among companies, and protecting companies from lawsuits, regulatory and antitrust actions.
It would also shield participating companies from certain Freedom of Information Act requests.
Supporters say these threat indicators are basically strings of zeros and ones, and wouldn’t compromise personal data. Critics aren’t so sure.
The House is in recess this week, and a House Intelligence Committee hearing on cybersecurity was scrapped last week thanks to the snow. House Intelligence Chairman Devin Nunes, R-Calif., is expected to reschedule the hearing and move a bill shortly thereafter.
Nunes’ bill is likely to mirror the Senate Intelligence Committee proposal, which has been circulating among industry and other stakeholders in recent weeks.
Matthew Eggers, a cybersecurity policy leader at the U.S. Chamber of Commerce, testified March 4 before the House Homeland Security cybersecurity subcommittee that the Senate bill should garner strong industry support.
The bill strikes a balance between privacy demands related to personally identifiable information, he said, and industry’s need for strong liability protection before companies get too deeply involved in sharing cyberthreat indicators.
The Cybersecurity Information Sharing Act, drafted by Senate Intelligence Chairman Richard Burr, R-N.C., and ranking member Dianne Feinstein, D-Calif., “reflects practical compromises among many stakeholders on these issues,” Eggers testified.
“The chamber looks forward to reviewing the bill following the markup to determine its support for the base measure and any amendments,” Eggers told members of the House subcommittee. “Industry is likely to strongly support CISA.”
On the other hand, Eggers cited a number of flaws with an information-sharing proposal advanced by the Obama administration and reflected in a bill by Senate Homeland Security and Governmental Affairs ranking member Tom Carper, D-Del.
While the Burr-Feinstein bill “offers strong protections and flexible avenues for sharing with public and private entities,” Eggers said, the administration and Carper proposals would limit the type of sharing that receives liability protection.
The liability piece is key for industry.
Businesses fear that shared threat indicators could “have a boomerang effect and come back to [legally] bite us,” Eggers said.
Phyllis Schneck, cybersecurity deputy at the Department of Homeland Security, has spoken of her own experiences in the private sector, when liability concerns persuaded executives to sit on threat information rather than share it with the government.
Industry wants to be able to share threat data with the Department of Homeland Security, but also with other legitimate outlets like the FBI, Eggers explained. “What industry wants is flexibility,” he said, as well as limits on the requirement to remove personally identifiable information from the data.
Detailed personally identifiable information requirements would probably prevent smaller organizations — which may be juicy targets for cyber attacks — from participating, according to Eggers and other business officials.
The administration and Carper proposals restrict liability protection to acts of sharing with the Department of Homeland Security and with new “information sharing and analysis organizations” to be established under President Obama’s recent executive order on cyber information sharing.
House Homeland Security Chairman Michael McCaul, R-Texas, is a big supporter of liability protection for companies that share cyber threat indicators. He’s also a big fan of a recently enacted law, produced by his committee, that puts DHS at the center of government-industry information sharing.
McCaul’s full committee and his cybersecurity subcommittee have now held two hearings on the president’s proposal.
McCaul and new subcommittee Chairman John Ratcliffe, R-Texas, made clear at both sessions that they are going to advance a bill positioning the Department of Homeland Security as the prime civilian “interface” with industry on cybersecurity.
That means the intelligence and homeland security panels, and House leaders, eventually will have to figure a way to merge two proposals that cover different aspects of info-sharing but also overlap in areas.
Considering the high stakes and intense interest from the business sector, lawmakers from multiple committees are eagerly jumping at a chance to lead on the issue.
“Every generation faces monumental moments where their tenacity to overcome the challenges of the time are tested,” Ratcliffe said last week, with just a touch of hyperbole. “Now is our time, as we move deeper into the digital age, to ensure that the cybersecurity challenges we face today are met with the same resolve shown by previous generations of Americans.”
Some observers suggest the information sharing aspect of cybersecurity is too narrow and limited to justify expending so much political capital.
“Quelling the nation’s cybersecurity problems is a complex, multi-faceted endeavor not subject to a silver bullet,” the RAND Corporation’s Martin Libicki testified before Ratcliffe’s subcommittee last week. “It is therefore highly questionable whether efforts to achieve information-sharing deserve the political energy that they are currently taking up.”
Others, like Internet Security Alliance President Larry Clinton, support information-sharing legislation but say much more energy should be devoted to the daunting economic challenges of bolstering industry defenses against nation-state cyberattacks.
But it’s clear that the cybersecurity discussion in the 114th Congress will begin with information sharing.
It will be a debate, starting with jurisdictional issues but extending into questions of how the government and private sector interact on a matter of critical national security importance.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
