Rep. Michael McCaul (R-Texas), Chairman of the House Homeland Security Committee, is releasing a draft bill this week to enhance the National Cybersecurity and Communications Integration Center (NCCIC) as a primary interface for sharing cyber threat information.
“This week, I am releasing the draft of a new bill that would further enhance the NCCIC’s role as the primary Federal civilian interface for the sharing of cyber threat information to enable timely, actionable, and operational efforts between the Federal Government and the private sector,” McCaul said at a Cyber Leaders event at the Center for Strategic and International Studies, on Tuesday.
McCaul highlighted that the draft bill, which was expected to be introduced Thursday, would give protections for voluntary exchanges of cyber threat information including government-to-private and private-to-private sharing. This includes liability protections for companies to monitor their own information systems and to use defense measures to prevent intrusions, he said.
Lack of liability protection for the private sector is a problem, he said. “Companies are hesitant to share information about cyber threats and intrusions that take place in their networks. They fear that doing so could put their customers’ privacy at risk, expose sensitive business information, or even violate federal law and the duty they have to their shareholders.”
To address this, McCaul is working with the House Judiciary Committee on crafting a liability exemption standard that will be used in other cyber information sharing legislation in the House, he said.
The Department of Homeland Security will be the primary portal for information sharing in his bill, but if a private company wants to use a portal to share with the NSA or if financial companies prefer to keep their sharing relationship with the Treasury Department that will be allowed, he said. McCaul wants to protect current sharing relationships with several portals.
NCCIC is suited for this task because it is not a cyber regulator. “It cannot prosecute you, and it is not a spy agency. It’s a civilian interface. Accordingly, the NCCIC has no authority to do anything more with the information it receives other than use it to prevent and respond to cyber attacks and enhance our cyber posture.”
The draft will also have strong privacy protections, McCaul said.
“My draft bill would ensure when information about a breach changes hands—whether it is provided to the government or exchanged between companies—that it is thoroughly scrubbed for personal information so Americans do not have their sensitive data exposed.”
DHS already has the first statutorily established privacy office, one reason why it is the leading civilian interface for these exchanges, McCaul said.
The Homeland Security Committee is expected to mark up McCaul’s bill within the next several weeks. “Our plan is to take this legislation to the House floor next month, and when we do, we will be forward-leaning and eager to reach across the aisle to get it passed.”
When asked how his bill and Senate cybersecurity bills could be blended on the floor, McCaul said now that the Cybersecurity Information Sharing Act (CISA) has been marked up in the Senate, he anticipates the House Intelligence Committee will mark up a similar bill with sharing portals in it.
McCaul also noted the White House’s Cyber Threat Intelligence Integration Center (CTIIC), announced last month, could greatly enhance DHS’s capabilities by providing an entity that can synthesize the cyber threat information and then feed it to DHS for sharing.