Senators hopeful on cyber info sharing bill

Top senators are optimistic about the prospects of a bill to facilitate the exchange of cybersecurity information between the public and private sectors following the chamber’s first 2015 hearing on the issue.

“It’s a matter of concentrating on the shared goal of trying to reduce these cyberattacks,” Sen. Ron Johnson (R-Wisc.), chairman of the Senate Homeland Security and Governmental Affairs Committee, told reporters following the hearing. “So I’m actually encouraged by it.”

{mosads}Industry and security executives on Wednesday made their pitch for a bill they’ve been urging Congress to pass for years. They argued such an exchange of data is necessary to better detect and prevent cyber intrusions on America’s critical infrastructure.

“It’s the single highest-impact, lowest-cost, fastest-[to]-implement capability we have at hand as a sector and as a nation,” said Marc Gordon, chief information officer for American Express.

Congress has repeatedly stumbled in their efforts to pass a bill, plagued by privacy concerns that such a measure would enable further government surveillance on Americans.

“If we don’t get [cyberattacks] under control,” Johnson said during the hearing, “the threat in terms of loss of privacy is really even greater.”

In the last year, a barrage of high-profile cyberattacks on companies like Target, Home Depot, Michaels and JPMorgan have exposed hundreds of millions of consumers’ data and raised the pressure on Congress to move on a bill. The recent digital assault on Sony Pictures, which crippled the film studio’s networks and nearly caused the cancellation of a big-budget comedy, has only brought more attention than ever to the issue.

On Wednesday, Homeland Security ranking member Tom Carper (D-Del.) pledged action “very soon” on a bill. “My guess, my expectation is we’ll be much more involved this year” on cyber info sharing, he told reporters after the hearing.

But neither Carper nor Johnson tipped their hands on exactly what that action might look like.

While most lawmakers agree Congress should move on a bill to encourage cyber threat info sharing between the public and private sectors, they have been unable to agree on the details.

Witnesses told the committee that industry’s hands are tied when it comes to sharing information with the government. They need government-granted legal liability protection first.

Without that protection, companies are “often unwilling or unable to share” information with the government, said Scott Charney, corporate vice president of Microsoft’s Trustworthy Computing Group. If the government released the shared information, companies would face reputational risks with the public, security risks from hackers and regulatory risks from government agencies, he said.

Conversely, privacy advocates argue Americans could lose their civil liberties if companies broadly share cybersecurity information — which can include sensitive personal data — with the government.

“Are we creating an environment where we’re going to promote oversharing with the government?” Sen. Cory Booker (D-N.J.) asked. “I’m really worried about that. In many ways it’s just giving the government access to another level of domestic surveillance.”

There are several competing cyber info-sharing measures floating around Congress, which has complicated the issue.

Last Congress, the Senate nearly passed a bill, the Cybersecurity Information Sharing Act (CISA), that would have given liability protections to companies sharing information with the National Security Agency (NSA). Rep. Dutch Ruppersberger (D-Md.) recently reintroduced a House version of CISA, known as the Cyber Intelligence Sharing and Protection Act.

The White House also recently introduced their own legislative proposal, intended to assuage some of the privacy concerns that have derailed previous efforts. The offering put the Department of Homeland Security (DHS), not NSA, at the center of a public-private cyber info exchange.

“It was a significant improvement over the Senate’s last look at information sharing,” said Greg Nojeim, director of the Freedom, Security & Technology Project at digital advocate the Center for Democracy & Technology (CDT).

The offering better restricts government from misusing the private sector data and does a “pretty good job” of requiring companies to strip personally identifiable information from the data before transferring it to the government, Nojeim said.

“A constructive step forward,” said Peter Beshar, general counsel at cyber insurance company Marsh & McLennan.

Carper has pledged to get a version of the administration’s bill introduced, hopefully with Johnson.

“We’ll continue to look at that,” Johnson said, adding that he also wants see what the Senate Intelligence Committee does. The panel was behind last session’s CISA push.

During the hearing, Johnson peppered witnesses with questions about the White House offering.

“Does the White House proposal contain adequate liability protections?” he asked.

Industry witnesses agreed that it contained the basic desired protections, but lacked enough incentives for company-to-company cyber threat sharing.

“To be fair,” said Gordon of American Express, “you can share to a private hub and that hub can share back out to the private sector.”

But the “biggest obstacle” to cyber info-sharing legislation remains Congress’s inability to curb the NSA’s surveillance authority, said CDT’s Nojeim.

The security community has been waiting for indication from the committee’s leaders about their plans for cybersecurity information sharing legislation in 2015.

“I think you gotta do that before you get to cybersecurity information sharing,” he said.

Still, Johnson insisted to reporters after the hearing that a bill is feasible.

“If we concentrate on the shared goal of enhancing the economic and national security of America, and in this case trying to provide some measure of additional cybersecurity, I think that’s what’s going to bring this across the goal line,” Johnson said.