Governance & Risk Management , Information Sharing , Standards, Regulations & Compliance
Congress to Consider Info-Sharing Bills
Liability Protection Key Issue in Cybersecurity DebateWith President Obama calling on Congress to enact cyberthreat information sharing legislation, Rep. Mike McCaul likes to remind the commander in chief that the House of Representatives twice passed such measures in each of the past two Congresses. And, in each case, the White House threatened to veto the measures that died in the Senate.
See Also: New OnDemand: How CISOs Can Ace Cyber Risk Reporting to the Board and the SEC
"I am glad that the president finally came to the table on this issue and delivered a proposal to Congress last month," says McCaul, the Texas Republican who chairs the House Homeland Security Committee.
Obama has dominated the headlines the past two months in promoting his cybersecurity agenda. At last week's White House cybersecurity summit at Stanford University, he delivered a major address and signed an executive order to facilitate the sharing of cyberthreat indicators between the government and business (see Obama Grapples with Cyber Challenges). Among Obama's legislative proposals, announced in January, is a cyberthreat information sharing bill that aims to provide liability protections to businesses and privacy and civil liberties safeguards to individuals, necessary elements in getting such legislation passed.
President Obama discusses the need for Congress to enact cyberthreat information sharing legislation.
Now, it's Congress's time to command the center stage, and McCaul isn't wasting time. He's scheduled a House Homeland Security Committee hearing for Feb. 25 to review the administration's cybersecurity legislative proposal. Undersecretary for the National Protection and Programs Director Suzanne Spaulding and her top cybersecurity adviser, Deputy Undersecretary Phyllis Schneck, are scheduled to testify.
Time to Act
Citing the recent cyber-attack on health insurer Anthem, McCaul says, "Now, more than ever, Congress must take aggressive action to remove legal barriers to improve private entities' ability to share information to combat these attacks."
The House Homeland Security Committee isn't the only congressional panel to take up cyberthreat information sharing legislation. The Senate Permanent Select Committee on Intelligence and the Senate Homeland Security and Governmental Affairs Committee are expected to consider cyberthreat information sharing legislation.
The House Permanent Select Committee on Intelligence also will tackle the matter. Indeed, the panel's chairman in the past two Congresses, Republican Mike Rogers of Michigan, shepherded the cyberthreat information sharing legislation known as the Cyber Intelligence Sharing and Protection Act, or CISPA, through the House. Rogers has retired, and the new chairman of the intelligence panel, Rep. Devin Nunes, R-Calif., is expected to pick up where Rogers left off. "I am glad to see President Obama putting forth his ideas to address this critical issue," Nunes said. "They will receive close consideration as the House Intelligence Committee crafts a cyber bill."
Roger's co-sponsor, Rep. C.A. Dutch Ruppersberger, D-Md., reintroduced CISPA in January. Ruppersberger says the business community "is clamoring for help protecting its networks," noting that nearly 70 businesses submitted letters of support for an earlier version of CISPA. But Ruppersberger's influence on the intelligence panel has been diminished. In the last Congress, Ruppersberger served as ranking member of the committee; this session, he's no longer a committee member. For a cyberthreat information sharing bill to get enacted, it would need to have a Republican as its chief sponsor because the GOP controls both houses of Congress. But a Democrat would likely be a principle co-sponsor because bipartisan support is needed for Congress to enact cybersecurity legislation.
The versions of cyberthreat information sharing legislation the Republican-controlled committees develop are expected to be more along the lines of CISPA than what Obama offers.
Cyber Threat Sharing Act of 2015
Obama's position on cyberthreat information sharing legislation is reflected in a bill introduced earlier this month by Sen. Tom Carper, the Delaware Democrat who serves as the ranking member of the Senate Homeland Security and Governmental Affairs Committee.
Carper's bill, known as the Cyber Threat Sharing Act of 2015, codifies key components in Obama's executive order, including designating the Department of Homeland Security's National Cybersecurity and Communications Integration Center as the key government agency to collaborate with the private sector through information sharing and analysis organizations, known as ISAOs, to share cyberthreat information.
Carper says the bill would empower "companies with clear legal authority and liability protection to share critical data while still maintaining privacy protections."
But it's those liability protections and privacy safeguards that are the main differences between the Obama/Carper proposal and CISPA. And resolving those differences - especially on liability protection - is critical in getting Congress to pass cyberthreat information sharing legislation.
Many businesses are reluctant to share cyberthreat information - with the government or other businesses - until Congress enacts a law to provide them with liability protection, which the president cannot furnish on his own.
CISPA would provide businesses with liability protections if they made a good-faith effort in their sharing of cyberthreat information; the Carper bill doesn't have a good-faith effort clause. In addition, the Carper bill delineates a number of circumstances in which companies cannot use the law to seek liability protections, such as price-fixing or monopolizing a market. CISPA doesn't have such limits.
Industry's Viewpoint
Larry Clinton, president of the industry group Internet Security Association, contends the specificity on liability in Carper's bill could prevent businesses from sharing cyberthreat data. The good-faith provision in CISPA, but absent in the Carper bill, would let "private entities make security decisions based on the shared information," Clinton says. "What good is having the information if you can't use it or you are going to be pulled into court for using it? Too many [businesses] might not be willing to do the sharing in the first place, so it undermines the core basis for the bill and weakens both security and privacy."
But the administration, in its 2013 threat to veto CISPA, contended CISPA too broadly defined liability protections. "Specifically, even if there is no clear intent to do harm, the law should not immunize a failure to take reasonable measures, such as the sharing of information, to prevent harm when and if the entity knows that such inaction will cause damage or otherwise injure or endanger other entities or individuals," the statement on administration policy said.
Despite the differences between the two approaches to liability protection, compromise is not out of the question because both sides want cyberthreat sharing legislation enacted. "I think there is a place for bipartisan compromise to get through both houses and get the president to sign it," says a Republican congressional source familiar with cybersecurity legislating in the House.
Changing Dynamics
Republicans see the president seemingly having "a change of heart" on liability protection, the source says, adding that "all of a sudden Obama is talking about it's an urgent priority - we absolutely need to have a cyber bill - and he's coming out with all of his own proposals."
The GOP source contends the public clamor over recent breaches, such as the Anthem hacker attack, has shifted the public's cybersecurity conversation away from concerns about potential privacy and civil liberties violations in the wake of the Edward Snowden leaks about the National Security Agency's policies. "They have been replaced by concerns over all these hacking stories that have suddenly gone out there in the past couple of months," he says. And, he says, those concerns could result in a legislative compromise being reached.
As for privacy and civil liberties protections, the Carper bill - unlike CISPA - would require businesses to make a reasonable effort to strip personally identifiable information of individuals before sharing cyberthreat information. Some businesses contend that removing PII from records to be shared could be too burdensome. CISPA would require the government to periodically review policies to assure individuals' privacy protections.
Holding Corporations Accountable
Obama's 2013 veto threat expressed the administration's concern that CISPA didn't require businesses to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities. "Citizens have a right to know that corporations will be held accountable - and not granted immunity - for failing to safeguard personal information adequately," the statement on administration policy said.
But the Internet Security Association's Clinton doesn't see bridging the differences on privacy and civil liberties safeguards between the Obama/Carper proposal and CISPA as being as critical an issue as reaching a consensus on liability protections. "I don't basically have a problem with protecting PII," he says. "We don't need that sort of information to improve our cybersecurity. That is why I don't think there really ought to be a standoff between the privacy and security people. We ought to all be on the same side."