President Obama on Tuesday outlined a new bill designed to improve the sharing of cyber threat data by the private sector with the government and strengthen legal authorities to combat cyber crime.
Details of the forthcoming legislative proposal are scarce, but the White House said in a summary that it will promote information sharing by offering targeted liability protection for companies that share information with the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC).
Limited liability protections are important to industry, which is concerned that without the protections companies that voluntarily share information with the government would open themselves to lawsuits in some instances. That said, there are currently channels in place for critical infrastructures to share information with the DHS and the Defense Department.
In 2013 the House approved cyber threat sharing information called the Cyber Intelligence Sharing and Protection Act (CISPA) which included liability protections for private sector entities that voluntarily share threat indicators with the federal government. That legislation was never voted on in the Senate.
This month Rep. Dutch Ruppersberger (D-Md.), one of the original authors of the bill, re-introduced CISPA and Rep. Michael McCaul (R-Texas), chairman of the House Homeland Security Committee, said he would work on legislation this year that also bolsters information sharing between the private and public sectors.
Larry Clinton, president of the Internet Security Alliance, told Defense Daily the president’s proposal is a good step “begin to move the ball in a positive direction. I think it’s important that the President of the United States is making cyber security a higher priority for himself personally and I think that the overall approach that he and the administration are taking is a constructive one.”
Clinton likes using the liability protections to incentivize information sharing by the private sector rather than use “antiquated” regulatory prescriptions to force the sharing.
Under the pending legislative proposal, private entities would share cyber threat information with the NCCIC, which in turn would share the data with “relevant federal agencies and with private sector-developed and operated Information Sharing and Analysis Organizations (ISAOs),” the White House summary says.
Scott Algeier, executive director of the Information Technology-Information Sharing and Analysis Center (ISAC), told Defense Daily any legislation to promote information sharing between the private sector and the government is good, noting though that plenty of IT companies are already sharing cyber threat data.
The ultimate goal though is “to create enhance situational awareness” about the cyber threat, not simply the sharing of information, Algeier said. One of his concerns is that “we’re focusing too much on the information sharing part and not enough on developing a strategy for enhancing national situational awareness about where the cyber threat is.”
Algeier also is concerned that the White House proposal is too focused on the NCCIC being “the center of the universe” for information sharing when companies and organizations need to be sharing with each other. “We can’t do that at the expense of industry sector specific forums,” he said.
The NCCIC won’t always “understand how a threat is important to specific sectors,” Algeier said, adding that various industry sectors need ways to share information among them. Smaller companies also need to be able to take advantage of the information larger companies in their sector have related to global threats, thus “benefiting from the threats their seeing and the practices they’re using to mitigate those threats,” he said.
The ability of the NCCIC to scale “is very small,” and it lacks the resources in many cases to digest the information coming in, Algeier said. By sharing information with each other, companies don’t have to wait for the NCCIC to find out what’s important, he said.
It is somewhat unclear what the purpose of the ISAOs would be in Obama’s proposal. There are nearly 20 ISACs now that address physical and cyber security issues through information sharing. Algeier said his “impression” is the ISAOs would include but not be limited to the ISACs.
The White House said the private-sector led ISAOs would serve as focal points for the NCCIC to share in “as close to real-time as practicable” threat information with the private sector.
The proposal would also stiffen law enforcement authorities to investigate and prosecute cyber crime by allowing for the prosecution of the sale of botnets, criminalize overseas sales of stolen U.S. financial information like bank account numbers, and allow courts to shut down botnets engaged in criminal activity. The legislation would also modernize the Computer Fraud and Abuse Act so that insiders that abuse access to information can be prosecuted.
To strengthen privacy protections, the proposed legislation would require companies to take measures to protect personal information that must be shared to qualify for liability protection. It also requires DHS and the Justice Department to work with the Privacy and Civil Liberties Oversight Board and others to develop guidelines for the federal government for the receipt, retention, use and disclosure of information.
The White House said it will host a summit on Feb. 13 at Stanford Univ. to convene stakeholders from government, industry, law enforcement and others to discuss cyber security and consumer financial protection issues. The Summit on Cybersecurity and Consumer Protection will “help shape public and private sector efforts t protect American consumers and companies from growing threats to consumers and commercial networks,” the White House said.
The Electronic Frontier Foundation, which argues for the protection of civil liberties in the digital environment, described Obama’s proposal as “old ideas that should remain where they’ve been since May 2011: on the shelf.” It says that current “secrecy” among the national security and law enforcement communities combined with the proposal to bolster information sharing means there could be more sharing of personal information with intelligence and law enforcement agencies.
Eric Chiu, president of the cloud computing management firm HyTrust, said Obama’s cyber proposals around privacy are a “good step,” but said that in the end better security will come down to companies themselves.
“However, like any legislation, this won’t change how companies act unless there are real consequences and penalties,” Chiu said. He added that companies “need to think of security as a part of doing business.”
Sen. Dianne Feinstein (D-Calif.), ranking member of the Senate Intelligence Committee, who coauthored legislation in the Senate similar to CISPA, said her bill should still be a priority, adding that she is hopeful that she can work with Committee Chairman Richard Burr (R-N.C.) to see how the president’s proposal compares with hers “and get a new bill introduced as soon as possible.”