Compromise on Info-Sharing Measure GrowsGOP Committee Chairman Says He Sees Merit in Obama Plan
A willingness to compromise expressed at a Feb. 25 House hearing on President Obama's cyberthreat information sharing initiative offered a sign of hope that long sought legislation to get businesses to share such data could pass Congress this year and be signed into law.
The tone of the discussion at the hearing was far different than in the past two congresses, when the White House threatened presidential vetoes of cyberthreat information sharing measures that passed the House of Representatives.
Congressional Republicans and the Democratic president and his supporters differed in the past over how an information sharing law should address liability protections and privacy safeguards. The White House maintained the liability protections in the Republican-sponsored legislation were too broad and that privacy safeguards were too weak. The GOP argued the liability provisions in their bills - which had some Democratic backers - were needed to get the private sector to participate in the voluntary information sharing program and that the privacy protections the White House sought would be too costly for some businesses to implement.
But those differences seem to have narrowed at the Feb. 25 House Homeland Security Committee, where an expression of willingness to seek compromise surfaced from both sides.
Bone of Contention
"It is, sometimes, a bone of contention between both sides of the aisle," House Homeland Security Committee Chairman Mike McCaul, R-Texas, said, referring to differing views on liability protection. But McCaul congratulated administration representatives at the hearing for presenting the president's plan and saw merit in its proposals. "I talked to the private sector; they like the liability protections that are presented here," he said, especially in regards to sharing data with the government.
Still, McCaul said some business leaders had reservations about the liability protection in Obama's plan for businesses that want to share cyberthreat information with other business.
The president's proposal would provide liability protection for businesses that share cyberthreat data with DHS's National Cybersecurity and Communications Integration Center, known as NCCIC. Under Obama's plan, those protections aren't extended to businesses that share information with each other directly but would be covered if the data is shared through newly formed information sharing and analysis organizations, or ISAOs (see How New Information Sharing and Analysis Organizations Work). "What the legislation provides is that the private sector can share among themselves through these appropriate organizations and enjoy the same liability protections for providing that information to those organizations," said Undersecretary Suzanne Spaulding, who runs the National Protection and Programs Directorate, the DHS entity charged with collaborating with business on cybersecurity.
Working Out Legislative Language
McCaul responded that the liability protections to share information with NCCIC could serve as the "construct" to share data among businesses, suggesting specific legislative language could be worked out between Congress and the administration. "We can discuss that more as this legislation unfolds," he said.
Rep. Curt Clawson, a Florida Republican who led several multinational corporations before his election to Congress in 2014, said getting buy-in to share cyberthreat information with the U.S. government from companies with global operations and stakeholders could prove to be "a tough sale."
"My world is all about multiple stakeholders," Clawson said, addressing Spaulding. "We're trying to protect our customers, our suppliers, the communities that we live in, and what I've read so far of what you proposed just doesn't feel like a compelling case that I can take to my multinational board of directors. ... Any private-sector CEO would be negligent to go along on the basis of trust" without the U.S. government providing a detailed plan on what information is being sought and how it would be used.
Spaulding said the government will build that trust and agreed with Clawson that the "devil is in the details" of a final legislative plan. She said information to be shared would be minimal and technical, such as explicit cyberthreat indicators, IP address and specific types of malware. The undersecretary said the government would be transparent on the types of information it seeks and receives and develop policies and protocols to protect proprietary as well as personally identifiable information. "This isn't going to make every company open its doors," Spaulding said. "But it does address concerns that we've heard from the private sector, and there will be a fair amount of detail about precisely what we're talking about sharing here."
Though not totally persuaded, Clawson offered to work with DHS on the legislation, an offer Spaulding accepted.
Stripping PII from Shared Data
Another partisan difference is the Obama administration's insistence that companies strip personally identifiable information from data before it's shared, an act that some Republicans say puts a financial burden on businesses. Phyllis Schneck, DHS deputy undersecretary for cybersecurity, explained that under Obama's proposal, companies would need to make a "good-faith effort" to remove PII, conceding that it is a "policy puzzle" that needs to be solved by the private sector working with law enforcement and the intelligence community. "We're doing our best to get everybody to design that," Schneck said.
Regardless of how the final language of a cyberthreat sharing bill reads, such legislation is only one part of a solution to mitigate cyberspace risks. "Information sharing is no silver bullet," said Eric Fischer, senior specialist for science and technology at the Congressional Research Service. "It's an important tool for protecting systems and their contents. As long as organizations are not implementing even basic cyber hygiene, there are going to be some significant difficulties."
Fischer cited a Hewlett-Packard study that shows 45 percent of companies lack basic cyber hygiene. "There have been cases where companies had the information, but nevertheless did not pay sufficient attention to it," he said. "They had information that could have prevented an attack. If a company is not prepared to implement threat assessments that they receive, then that's going to be a problem."