Recent high-profile security breaches, including the attack on Sony Pictures and the breach of health insurer Anthem, have highlighted the reality that cybersecurity is now one of the greatest national security challenges facing the nation.
To improve preparedness and response to cyber incidents, the House Committee on Homeland Security held a hearing Wednesday to examine the President’s recent Cybersecurity Information Sharing Proposal, an executive order he issuedto help advance cybersecurity threat and information sharing between the public and private sectors.
While Obama’s executive order will help advance cybersecurity threat and information sharing between the public and private sectors, critics have said it doesn’t provide legal protection for companies that share such information.
“Every day, our country faces digital intrusions from criminals, hacktivists, terrorists, and nation-states like Russia, China and Iran,” said House Committee on Homeland Security Chairman Michael McCaul (R-Texas). “The impacts of those intrusions are felt everywhere—from our national security secrets to the personal information of Americans.”
Although barriers to information sharing on cybersecurity threat information has long been considered a major hindrance to protection of information systems, particularly critical infrastructure, US officials disagree on what federal information sharing legislation should look like.
Homeland Security Today reported last month that Obama’s proposed cybersecurity legislation has been met with mixed reactions from both Capitol Hill and industry experts because of the lack of legal protections for information sharing liability and privacy issues.
“Sadly, our laws are not keeping up with the threat,” said McCaul. “For instance, fearing legal liability, many private companies choose to not disclose the threats they see on their own networks, leaving others vulnerable to the same intrusions.”
Concerns relating to privacy and civil liberties have been raised, in particular, because the White House proposal would permit sharing of specified cybersecurity information by covered private entities “notwithstanding any other provision of law.”
Eric A. Fischer, Senior Specialist in Science and Technology for the Congressional Research Service, testified the White House would attempt to address such questions in several ways, namely by addressing the kinds of information shared, the information sharing structure, the timeliness of sharing, and protecting privacy and civil liberties.
Fischer explained that there is a wide variety of information that can be shared, but organizations should focus on sharing information that is actionable— that identifies or evokes a specific response aimed at mitigating cybersecurity risks.
The President’s proposal limits the scope of information that should be shared as “cyber threat indicators,” which the White House defines as information needed to “indicate, describe or identify” malicious reconnaissance or command and control activities, methods of social engineering and of defeating technical or operational controls and technical vulnerabilities from which “reasonable efforts” have been made to remove personally identifying information if the person is thought to be unrelated to the threat.
To ensure timely information sharing, the White House proposal would require the NCCIC to share cyber threat indicators “in as close to real time as practicable.” HR 234, the Cyber Intelligence Sharing and Protection Act (CISPA) and S 2588, Cybersecurity Information Sharing Act of 2014 (CISA), would also require real-time information sharing.
Fischer noted that this opens up the question of whether there should be a particular mode of sharing. He indicates that the White House has largely addressed the issue through its proposed development of automated mechanisms. Moreover, S. 2588 would require development of a process to receive indicators and countermeasures electronically, including via an “automated process between information systems.”
To facilitate information sharing, the White House Proposal has designated the National Cybersecurity and Communications Integration Center (NCCIC) as the “federal hub for receipt and distribution of cybersecurity information.” The NCCIC will serve as the coordinator of the sharing of cyber threat indicators between Federal and non-Federal entities.
According to Suzanne Spaulding, Under Secretary of the National Protection and Programs Directorate, “the government must have a central clearinghouse to ensure that privacy and confidentiality protections are consistently applied and that the right information reaches the right government and private sector entities.”
Spaulding added, “The NCCIC plays a critical role in the President’s recent legislative proposal because its core mission – as articulated in the National Cybersecurity Protection Act, developed by this committee and unanimously-passed by the House in December – is to coordinate and serve as an interface for cybersecurity information across the government and private sector.”
While there is broad consensus that information sharing will allow quicker and more effective responses to cyber incidents, the White House proposal has generated significant debate over whether the information could be used for purposes other than cybersecurity.
The White House plans to address these concerns by limiting private-sector use of shared indicators for purposes relating to protection of information systems and their contents; minimizing the sharing of personally identifiable information, exempting information received by the federal government from disclosure under the Freedom of Information Act; and prohibiting use of shared information for regulatory enforcement.
In addition, the White House would require penalties for federal violations of its restrictions relating to information sharing, as well as the submission of an annual report to Congress on privacy and civil liberties.
Moreover, according to Fischer, both HR 234 and S 2588 “explicitly limit federal use of shared information to cybersecurity purposes and uses relating to protection of individuals and investigation and prosecution of cybercrimes and certain other offenses.”
As Homeland Security Today previously reported, Eric Chiu, president and co-founder of HyTrust, a cloud control company, said real consequences for violations related to information sharing will be critical to the success of this legislation.
“The recent privacy legislation announced by Obama is a good step towards enabling companies to better share information on security threats and ensure that consumers receive consistent privacy notification. However, like any legislation, this won’t change how companies act unless there are real consequences and penalties,” Chiu said.
With the importance of information sharing to cybersecurity, McCaul has urged swift action by Congress to address these concerns. Government and the private sector collaboration will be essential to securing the homeland against cyber threats.
“We cannot leave the American people and our businesses to fend for themselves,” McCaul said. “Now, more than ever, Congress must take aggressive action.”