A Maryland congressman on Jan. 8 re-introduced cyber security legislation that previously passed the House, but not the Senate, aimed at strengthening the sharing of cyber threat data between the federal government and private sector and that also provides incentives for companies to voluntarily share threat information with the government.
“Most recently, Sony was hit by a sever cyber attack by North Korea, the first destructive attack we’ve seen yet, and it cost the company millions of dollars,” Rep. C.A. “Dutch” Ruppersberger (D) said in a statement introducing the Cyber Intelligence Sharing and Protection Act (CISPA) (H.R. 234), which easily passed the House last year with bi-partisan support. “We must stop dealing with cyber attacks after the fact.”
Ruppersberger was the ranking member of the House Intelligence Committee in the last Congress and worked closely with the committee’s former chairman, Mike Rogers (R-Mich.), on CISPA. Rogers did not seek reelection to Congress in November.
The CISPA bill has been referred to several House committees including Armed Services, Homeland Security and Judiciary, in addition to the House as a whole.
Separately, Rep. Michael McCaul (R-Texas), chairman of the House Homeland Security Committee, on Jan. 8 said in an op-ed in The Washington Times that he will lead an effort this year to pass cyber security legislation that removes legal barriers that limit the private sector’s sharing of threat information. He sees providing liability protections as a means to remove these legal barriers, a House staffer said.
In addition to buttressing the private sector’s will to share cyber threat information, McCaul believes that liability protections can be used by companies as an incentive to strengthen their cyber security postures.
McCaul wrote that “Congress must do more to incentivize private entities to invest in great cybersecurity practices and procedures. One such incentive would be to clarify that companies could have their cyberdefenses certified as sufficient under the Safety Act, which would provide important legal liability protections in the case of a large-scale cyberattack.”
The Safety Act, which is administered by the Department of Homeland Security, is used by a number of companies to have their technologies and services certified to provide them with limited liability protections following a terrorist attack.
Congress in December passed a number of cyber and information security bills that President Barack Obama later signed that among other things codifies a round-the-clock cyber watch center in DHS—the National Cybersecurity and Communications Center (NCCIC)—making it the federal civilian interface for sharing about information security risks and creates rules of the road for that sharing.
Ruppersberger’s CISPA bill, for which he is now gathering co-sponsors, would require the Director of National Intelligence to establish procedures for the intelligence community to share cyber threat information with the private sector. The bill would also allow for private sector entities to share cyber threat information with the federal government and require any federal agency receiving such information to in turn share it with the NCCIC. Provisions of the bill would also require that information to be considered proprietary and not be disclosed outside the federal government.
The CISPA bill also includes liability protections, something that the legislation passed by Congress and signed by Obama in December do not. The bill provides a liability exemption in federal and state court for private entities acting on “good faith” if they use “cybersecurity systems to obtain cyber threat information or for sharing such information” or “for decisions made based on cyber threat information identified, obtained, or shared under this section.”
Larry Clinton, president of the multi-sector Internet Security Alliance, told sister publication Defense Daily on Jan. 7 that the bills approved in December are good in that they refine roles and responsibilities of DHS related to cyber security and codify existing processes for information sharing but don’t create the incentives that CISPA does for companies to share more information with the government than they do now and adopt better security practices and systems.
The “current problems” are that computer systems are vulnerable and becoming more so, the economics favor the attackers because it is relatively inexpensive to do hacking and there is very little law enforcement, and the attack community is becoming more sophisticated and not just at the nation-state level but among common criminals, Clinton said.
Information sharing by the private sector still remains limited because companies fear that by sharing the federal government may “come after them” in the sense that disclosures will prompt calls for regulation, Clinton said. “Effective” liability protection would make companies more comfortable in sharing information with the federal government, he said.
Faye Francy, the executive director of the Aviation Information Sharing and Analysis Center (ISAC), told sister publication Defense Daily via email on Jan. 7 that the limited liability protections afforded in CISPA and a companion bill that the Senate Intelligence Committee approved last summer “would constructively influence businesses’ decisions to share cyber threat data and countermeasures more quickly and frequently.”
However, regarding federal sharing of threat data with industry, Francy said that this is a “struggle” for the government because of “onerous” processes and approvals as well as legal issues. Francy shared that the DHS Cyber Information Sharing and Collaboration Program works to improve the ability to share “actionable and timely” threat intelligence working together with the ISACs. She added, though, that the legislation would complement Obama’s 2013 executive order on cyber security that calls for more timely information sharing by the government with the private sector.
There are a number of ISACs that represent whose missions are to improve the physical and cyber security of the critical infrastructures of North America by sharing information with each other and the government.
Although the CISPA bill contains a number of provisions designed to safeguard privacy and civil liberties, it has been opposed by organizations such as the Electronic Frontier Foundation, which argue there are no impediments to information sharing between the federal government and private sector.
Of CISPA and similar bills, EFF legislative analyst Mark Jaycox wrote in a Jan. 8 blog post that “They replicate information sharing already being done by DHS, but with little to no privacy protection. Lawmakers should be encouraging the use of DHS’s information sharing hub instead of proposing redundant regimes.”
Both Clinton and Jaycox agree that even if CISPA had been in effect the hack of Sony Pictures Entertainment that was discovered in November would not have been thwarted. While Jaycox said this is because information is already being shared, Clinton said there remains a lack of incentives to “promote cyber security broadly.”
In addition to liability protections, Clinton argues for other incentives such as streamlining regulatory processes for good actors, better use of private insurance, and tax breaks for smaller companies so they are more likely to strengthen their computer security.
Sen. Ron Johnson (R-Wis.), the new chairman of the Senate Homeland Security and Governmental Affairs Committee, said this week that cyber security will be one of his top priorities, although he hasn’t outlined an agenda yet.