President Obama Friday issued an executive order to help advance cybersecurity threat and information sharing between the public and private sectors, but it doesn’t provide legal protection for companies that share such information.
While some observers have asserted businesses and privacy advocates’ argument that cyber info-sharing is doomed to fail without legal liability protections, the Cyber Threat Sharing Act of 2015 introduced Wednesday by Sen. Tom Carper (D-Del.), ranking member of the Senate Committee on Homeland Security and Governmental Affairs, “would take critical steps to remove barriers in order to increase the sharing of cyber threat data between private industry and the federal government,” his office said.
“Today, those seeking to do us harm do not need to travel thousands of miles to carry out an attack,” Carper said in announcing his legislation. “They can disrupt our lives and cause great damage with just a few keystrokes at a computer. Last year, Congress made strides in bolstering our nation’s cyber defenses by passing four cybersecurity bills that strengthen our national security and help modernize our nation’s cybersecurity and cyber workforce. But more must be done. One of our top priorities in Congress must be to promote the sharing of cyber threat data among the private sector and the federal government to defend against cyber-attacks and encourage better coordination.”
The legislation coincided with Obama’s Fiscal Year 2016 $14 billion budget proposal to shore up the government’s ability to deal with cyber threats to federal and private systems.
When Obama first proposed cybersecurity legislation in January to allow the private sector to share more information on cyber threats with protection from liability, criminalize the sale of stolen financial data and require companies to notify consumers about data breaches, it was met with mixed reaction from both Capitol Hill and industry experts because of the lack of legal protections for info-sharing liability and privacy issues.
In light of the failure of Obama’s executive order to specifically address these concerns, the business community and cyber authorities remain skeptical.
There is “No protection from liability – without this feature, the information sharing that all parties agree is essential to address cyber threats – which the President referred to in his speech preceding his signing of the executive order as a ‘cyber arms race’ – simply will not occur,” said Robert Cattanach, a partner at the international law firm Dorsey & Whitney and a former trial attorney for the Department of Justice and special counsel to the Secretary of the Navy specializing in cybersecurity matters.
He also said there’s “No carrot for Congress – the executive order implicitly concedes that liability protection requireslegislation. The President ticked off a number of recently proposed legislative initiatives emanating from the White House, including a National Breach Notification law, a Privacy Bill of Rights, Student Digital Privacy and others. But, little, if any, progress has been made in the Congress, and no committee chairs have taken meaningful leadership steps to move any legislation of these subjects forward in the near term.”
“We applaud the White House’s commitment to information sharing initiatives that will help our country ward off damaging cyberattacks,” said Tim Pawlenty, President & CEO of the Financial Services Roundtable (FSR),” adding, “We hope this will push Congress to swiftly enact cyber threat information sharing legislation that provides strong liability protections so companies can share critical threats with each other and the government as they work to protect customers from the next major cyberattack.”
The FSR said, “The executive order calls on the private sector to develop a new mechanism for threat sharing,” but, “Because executive action cannot enact liability protections, legislative action is still needed from Congress. FSR urges Congress to act quickly to pass effective cyber threat information sharing legislation.”
However, Sen. Tom Carper (D-Del.), ranking member of the Senate Committee on Homeland Security and Governmental Affairs, said, the Cyber Threat Sharing Act of 2015 he introduced this past week “builds on the cybersecurity bills President Obama signed into law last year by empowering companies with clear legal authority and liability protection to share critical data while still maintaining privacy protections. This bill reflects the valuable input of the administration and incorporates insights and advice from our committee’s hearing on the topic earlier this month.”
“Introduction of this bill is the logical next step in this conversation,” Carper continued, adding, “I value the work the leaders of the Senate Intelligence Committee and others have done on this issue. I invite and encourage all stakeholders to engage with my colleagues on the Homeland Security and Governmental Affairs Committee and me and provide feedback on how we can make this bill better in an open and transparent process. We must all work together to find a legislative solution that will address our cybersecurity needs while upholding the civil liberties we all cherish. And given the threats we face today, we must move with a sense of urgency. The country is counting on us.”
The Cyber Threat Sharing Act of 2015 would increase the sharing of cyber threat data to help combat cyber attacks in several key ways. It would authorize the sharing of critical information and provide liability protections; clearly authorize the sharing of cyber threat data with the National Cybersecurity and Communications Integration Center (NCCIC) at the Department of Homeland Security and information sharing and analysis organizations that have self-certified that they follow best practices for the operation of such organizations.
“The bill makes clear that any cyber data sharing and analysis center or private organization can self-certify as an information sharing and analysis organization under the bill,” Carpers’s office said, noting that, ‘The bill grants liability protections to companies for sharing cyber threat data with the NCCIC or an information sharing and analysis organization that has self-certified it is following best practices.”
“Now, more than ever, Congress must take aggressive action to remove legal barriers to improve private entities’ ability to share information to combat these attacks,” House Committee on Homeland Security Chairman Michael McCaul (R-Texas), said Friday.
McCaul said, “Last year, I shepherded bipartisan cybersecurity legislation through Congress and into law, including a bill to authorize [the] Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). My committee is now taking the next steps and working on new legislation, which will include liability protections for cyber threat information sharing. While I am glad that the president finally came to the table on this issue and delivered a proposal to Congress last month, many questions remain. This hearing will examine the details of his plan and help to inform our legislative process, as we work with our partners in the House and Senate on this issue.”
Last Congress, the Senate Committee on Homeland Security and Governmental Affairs Committee authored several cybersecurity bills which Obama signed into law in December, including the Federal Information Security Modernization Act to update the Federal Information Security Management Act, the National Cybersecurity Protection Act of 2014 authorizing a National Cybersecurity and Communications Integration Center at the Department of Homeland Security for information sharing, and two bills to improve the federal cybersecurity workforce — the Cybersecurity Workforce Assessment Act and the Border Patrol Pay Reform Act which contained provisions from the DHS Cybersecurity Workforce Recruitment and Retention Act of 2014.
“As the President observed," Cattanach said, "addressing cyber threats is not a partisan issue. But the conflicting tension between prompt sharing of cyber threat information, and the need to protect individual privacy and civil liberties, is formidable and will not abate any time soon. The White House and Congress need to set aside intractable political agendas and work together to prioritize legislative initiatives on cyber issues – pass something, and use the momentum from that to make progress on the harder issues.”
He added that they also need to, “Articulate a credible and effective policy that addresses hack-backs – if the private sector is expected to do nothing to defend itself out of fear the FBI will investigate it for violating the Computer Fraud and Abuse Act (CFAA), then the government needs to step forward and respond with appropriate measures under appropriate circumstances.”
Ian Amit, Vice President of ZeroFOX, said, “The CFAA should be updated and amended to a reasonable criminal prosecution procedure, while allowing innovation and research to coincide with the ever-evolving industry. Stifling innovation in the name of prosecuting low hanging fruit has proven to be detrimental to openness to further innovation. It has also raised major issues with constitutional rights, which will hopefully result in the CFAA being amended based on professional, technical, and legal guidance.”
“Strengthening public-private collaboration in the form of providing incentives and safe-harbor for breach notification and threat information sharing,” is also required, Amit said. “Currently, companies are not keen to notify on breaches when it is not mandated to by law/regulation. This situation endangers whole industry segments that may be under the same kinds of threats.”
Consequently, Amit said, “legislation [must be established] around cybersecurity malpractice and liability for both practitioners (consulting companies) as well as organizations (i.e. chain of management up to the board). The current situation involves incompetent practitioners offering a ‘clean bill of health’ and creates a false sense of security, which leads to major breaches that have an impact on the economy at large. Additionally, even when proper guidance and advice is provided by practitioners, organizations can choose to neglect, ignore or assume the risk. Such negligence leaves millions of Americans at risk."
Dave Frymier, Unisys’ CISO, said he believes the privacy and surveillance concerns are overblown and shortsighted.
He pointed out that, “Similar information sharing programs are currently working successfully in the Department of Defense (DoD).”
“The rewards of such a program far outweigh the risks associated, which is why thiswill ultimately lead to its long-term success,” Frymier said, emphasizing that, “There is an example of how this can work in the DoD. They are six years into a voluntary information sharing program among cleared defense contractors. The program is governed by a framework agreement which describes the terms and conditions of onward transfer of any shared information. Its longevity demonstrates it clearly works – so both sides must be getting enough out of it to make it worth doing.”
“I think the privacy and/or surveillance concerns are both overblown and shortsighted,” Frymier reiterated, saying, “As long as the program is voluntary, the entity sharing the information can redact it to whatever extent their lawyers feel comfortable with. Not doing information sharing in the face of the current cyber threats because of privacy concerns is like not getting cancer therapy because you fear the side effects of radiation.”
Cattanach also said there’s “no mention of cyber counterattacks in Obama’s executive order.
“While the President hinted at the need to ‘disrupt attacks’ underway,” Cattanach said, “the simple truth is that such attacks are almost always over before they are discovered; disrupting an ongoing attack is probably something that those in the private sector with an appetite for risk could probably undertake without clearly violating the Computer Fraud and Abuse Act. But a meaningful response to cyber terrorism requires more. It is time for the White House and Congress to join forces and articulate a clear public policy, backed up by meaningful resources, to respond to bad actors that have been identified as responsible for cyber terrorism.”