Federal cybersecurity received a much-needed boost last Congress with the passage of five bills, including provisions to update a 12-year-old law for securing federal information systems and to improve the Department of Homeland Security’s cyber workforce.
But those bills fell short of setting clear parameters for information sharing between the government and companies, as well as across the private sector. The hope is that additional legislation will enable real-time sharing, “with a speed and a sufficient depth that we can effectively generate almost what I think of as the weather map for cyberspace so that we actually know and have some visibility into what is happening,” according to an administration official.
President Barack Obama hopes to capitalize on Congress’ momentum to push his cybersecurity agenda, which he previewed ahead of his Jan. 20 State of the Union address. Speaking at DHS’ 24/7 cybersecurity operations center in Arlington, Va., on Jan. 13, Obama said he has been in talks with congressional leaders about the need for cybersecurity legislation, and he is confident that they “should be able to craft bipartisan legislation soon.”
“We’re going to keep on working with Congress to get this done,” Obama said. “And in the meantime, we’re going to do everything we can with our existing authorities to make sure industry gets the information it needs to better defend itself.”
The president expressed similar sentiments during his State of the Union address:
No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. So we're making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism.
And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber attacks, combat identity theft, and protect our children’s information. That should be a bipartisan effort.
Sen. John Thune, who met with Obama and other congressional leaders this week, welcomed the president’s efforts to advance cyber legislation but criticized the president’s timing, according to The Hill.
“This level of personal engagement on legislation by the president certainly would have helped advance the bipartisan cybersecurity information sharing bill,” Thune, who chairs the Senate Republican Conference, was quoted as saying in The Hill.
“President Obama’s engaged support for similar legislation this Congress would help address cyber threats, improve privacy protections, and would also begin to address concerns over the president’s go-it-alone approach of unilateral executive actions on cyber and other issues,” Thune added.
House Homeland Security Committee Chairman Michael McCaul, R-Texas, shared similar sentiments. “While it took an attack on Hollywood for the president to re-engage Congress on cybersecurity, I welcome him to the conversation,” McCaul said in a statement.
Following the president’s legislative announcement, Sen. Tom Carper, D-Del., stressed the need for Congress to promote cybersecurity information-sharing as a top priority. “It is essential that any information-sharing bill strike an appropriate balance between the ability to share necessary data and to protect privacy and civil liberties,” he noted in a statement.
The administration has yet to release the revised cybersecurity legislative proposal, which builds on a similar proposal released in 2011. Among the updates is a refined approach to privacy and civil liberties, including a measure that would require companies to remove unnecessary personal information before sharing threat data and a measure that would direct the attorney general and DHS secretary to work with other senior officials to develop guidelines for the government’s use, retention and destruction of that data. Authorized use of the data would be restricted to investigating cybercrimes, major threats to minors or threats of bodily harm, the administration official explained.
The legislative proposal will include three sections that focus on the following:
Improving cyberthreat sharing from the private sector to government and among companies.
Standardizing breach notification requirements nationwide.
Enhancing law enforcement capabilities to prosecute and thwart cybercrime.
The proposal would authorize companies to share cyberthreat indicators, primarily technical data, IP addresses, time stamps and routing information, with the DHS National Cybersecurity and Communications Integration Center (NCCIC) and information-sharing and analysis organizations (ISAOs) led by the private sector, according to the administration official.
ISAO, not to be confused with information-sharing and analysis center (ISAC), is a broader term defined in the 2002 Homeland Security Act that would give companies greater flexibility to organize themselves and not be restricted to sector-based information sharing, the official noted.
Raising DHS’ Profile in Cyberspace
Under the legislative proposal, companies that complied with the guidelines for sharing threat data would receive liability protections. The specifics of those protections are not clear, but the official did note that to receive them, companies would have to share data with either the ISAOs or the DHS NCCIC
“The E.O. 13636, from almost two years ago, focused on the government to the private sector,” the official explained. “And this focuses on the other two legs, that private sector back to the government, or that private sector to private sector sharing, as long as it’s going through an information-sharing and analysis organization.”
The Devil Is in the Details
The nonprofit Electronic Frontier Foundation (EFF), which advocates for civil liberties in the digital world, sharply criticized the administration’s cyber legislative proposal.
In a joint statement, EFF legislative analyst Mark Jaycox and senior staff attorney Lee Tien said: “Introducing information sharing proposals with broad liability protections, increasing penalties under the already draconian Computer Fraud and Abuse Act, and potentially decreasing the protections granted to consumers under state data breach law are both unnecessary and unwelcome.”
“As with any legislation, the devil is in the details, and we'll continue to monitor the situation,” they added.
Dan Waddell, director of government affairs for security organization (ISC)², called the administration’s proposed breach notification requirements a good start but said more details are needed. Those details are due out next month.
“Implementing this legislation would require both planning and the right people in place to execute,” Waddell said in a statement. “First, we need to consider how the term breach is defined — i.e., what would need to happen to require notification? If breached data is encrypted, would that require notification?”