Governance & Risk Management , Incident & Breach Response , Information Sharing
McCaul to Unveil Threat Info-Sharing BillMeasure Would Provide Industry with Liability Safeguards
The chairman of the House Homeland Security Committee, Rep. Mike McCaul, says he will introduce in the coming days legislation to incentivize businesses to share cyberthreat information with the federal government.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
McCaul says his bill would designate the Department of Homeland Security's National Cybersecurity and Communications Integration Center, known as NCCIC, as the portal businesses would use to share cyberthreat information with the government to help prevent breaches.
The Texas Republican announced his intention to introduce the legislation less than one week after the Senate Intelligence Committee amended and then approved the Cybersecurity Information Sharing Act in a secret session (see Senate Intel Panel OK's Info-Sharing Bill). A key difference between the two bills is that CISA would allow businesses to share information with intelligence agencies, something McCaul says his bill does not address. He says the two pieces of legislation could be complementary, adding that he doesn't want businesses to be prevented from sharing cyberthreat information with intelligence or other agencies, such as the Treasury Department.
'Robust' Liability Protections
McCaul, speaking March 17 at the think tank Center for Strategic and International Studies, says his bill would provide more "robust" liability protections for businesses that share cyberthreat information than does legislation proposed by President Obama, which is reflected in a bill introduced by Sen. Tom Carper, D-Del.
Carper's bill limits liability safeguards to threat information shared with NCCIC and information sharing analysis organizations, or ISAOs, that would be established by industry with government approval (see Could Costs Impede Info-Sharing Plan?). McCaul did not provide further details on how his bill would furnish stronger liability protection.
Rep. Mike McCaul discusses his cyberthreat information sharing bill.
A consensus exists in Congress, the White House and industry that government and the private sector must share cyberthreat information to defend against cyber-attacks and that companies need liability protection to be assured that they won't be sued for sharing cyberthreat information.
Some privacy and civil liberties advocates have voiced opposition to CISA, the Senate intelligence panel bill, contending it would allow the National Security Agency and other intelligence services to gain access to cyberthreat information that exposes the personal information of U.S. citizens. The sponsors of CISA say they've modified the bill to provide privacy protections.
McCaul says his legislation would require the scrubbing of personally identifiable information being shared with the government so Americans don't have their sensitive information exposed. It also would require the government to destroy shared personal information that's unrelated to cybersecurity risks or incidents.
Built-In Privacy Oversight
Because NCCIC is a unit of DHS, it can offer added privacy protections, the Congressman says. "DHS has some of the strongest privacy protection mechanisms in the federal government and has the first statutorily established privacy office," he says. "Such built-in privacy oversight is an important reason why DHS is the leading civilian interface for these exchanges. In fact, privacy advocates have already endorsed NCCIC's role as an information sharing portal."
McCaul says he expects the Homeland Security Committee will review and approve his bill within the next two weeks, and he hopes the full House would consider it by the end of April. CISA sponsors say they hope to get a floor vote in the Senate on their bill by mid-April.