The Cyber Threat Sharing Act of 2015, introduced Wednesday by Sen. Tom Carper (D-Del.), ranking member of the Senate Committee on Homeland Security and Governmental Affairs, to better protect private industry and the federal government from evolving and growing cyber threats to national and economic security came on the heels of Obama’s Fiscal Year 2016 $14 billion budget proposal to shore up the government’s ability to deal with cyber threats to federal and private systems.
When Obama first proposed his cybersecurity legislation in January to allow the private sector to share more information on cyber threats with protection from liability, criminalize the sale of stolen financial data and require companies to notify consumers about data breaches, it was met with mixed reaction from both Capitol Hill and industry experts.
This week, Lisa Monaco, assistant to the president for homeland security and counterterrorism, announced that the administration will stand up a new Cyber Threat Intelligence Integration Center (CTIIC) “under the auspices of the Office of the Director of National Intelligence (ODNI)” to produce “coordinated cyber threat assessments, ensuring that the information is shared rapidly among existing cyber centers and other elements within our government, and supporting the work of operators and policymakers with timely intelligence about the latest cyber threats and threat actors.”
Carper’s bill “would take critical steps to remove barriers in order to increase the sharing of cyber threat data between private industry and the federal government,” his office said.
“Today, those seeking to do us harm do not need to travel thousands of miles to carry out an attack,” Carper said in announcing his legislation. “They can disrupt our lives and cause great damage with just a few keystrokes at a computer. Last year, Congress made strides in bolstering our nation’s cyber defenses by passing four cybersecurity bills that strengthen our national security and help modernize our nation’s cybersecurity and cyber workforce. But more must be done. One of our top priorities in Congress must be to promote the sharing of cyber threat data among the private sector and the federal government to defend against cyber-attacks andencourage better coordination.”
Carper said, “The Cyber Threat Sharing Act of 2015 builds on the cybersecurity bills President Obama signed into law last year by empowering companies with clear legal authority and liability protection to share critical data while still maintaining privacy protections. This bill reflects the valuable input of the administration and incorporates insights and advice from our committee’s hearing on the topic earlier this month.”
“Introduction of this bill is the logical next step in this conversation,” Carper said, adding, “I value the work the leaders of the Senate Intelligence Committee and others have done on this issue. I invite and encourage all stakeholders to engage with my colleagues on the Homeland Security and Governmental Affairs Committee and me and provide feedback on how we can make this bill better in an open and transparent process. We must all work together to find a legislative solution that will address our cybersecurity needs while upholding the civil liberties we all cherish. And given the threats we face today, we must move with a sense of urgency. The country is counting on us.”
The Cyber Threat Sharing Act of 2015 would increase the sharing of cyber threat data to help combat cyber attacks in several key ways. It would authorize the sharing of critical information and provide liability protections; clearly authorize the sharing of cyber threat data with the National Cybersecurity and Communications Integration Center (NCCIC) at the Department of Homeland Security and information sharing and analysis organizations that have self-certified that they follow best practices for the operation of such organizations.
“The bill makes clear that any cyber data sharing and analysis center or private organization can self-certify as an information sharing and analysis organization under the bill,” Carpers’s office said, noting that, ‘The bill grants liability protections to companies for sharing cyber threat data with the NCCIC or an information sharing and analysis organization that has self-certified it is following best practices.”
Specifically, the legislation would authorize:
The sharing within the government and protection of information: The bill requires the Secretary of Homeland Security, in coordination with the Attorney General, in consultation with other appropriate federal agencies, to ensure that cyber threat data are shared with other federal entities in as close to real time as practicable. The bill ensures that cyber threat data shared with the NCCIC pursuant to the legislation will be protected from disclosure under the Freedom of Information Act and may not be used as evidence in a regulatory action against the entity that shared the cyber threat indicator.
Government to industry sharing and improved coordination: The bill emphasizes federal government sharing of classified and unclassified cyber threat data with industry. The bill would also improve coordination among agencies on how they share threat data with each other and with industry. This helps ensure that companies can receive useful protective information from within the Federal government in a timely and actionable manner.
Building in strong privacy protections: The bill narrowly defines what may be shared among industry and with the federal government to cyber threat data and requires that reasonable efforts be made to minimize data that may be used to identify specific persons.
It also would ensure strong privacy policies exist within the federal government for cyber threat sharing, and that liability protections for sharing with the federal government are only granted for sharing with a civilian agency and only once appropriate privacy policies are in place.
The bill would narrowly limit how the federal government could use cyber threat data it receives and would require transparency reports on the bill’s implementation to ensure accountability in the sharing of cyber threat data. The bill has a five-year sunset to ensure that as technology evolves, Congress can reexamine the implementation of the program to ensure it is still effective and adequately protects civil liberties.
During the last Congress, the Senate Committee on Homeland Security and Governmental Affairs Committee produced several cybersecurity bills which the president signed into law in December. They include the Federal Information Security Modernization Act (S.2521) to update the Federal Information Security Management Act, the National Cybersecurity Protection Act of 2014 (S.2519) authorizing a National Cybersecurity and Communications Integration Center at the Department of Homeland Security for information sharing, and two bills to improve the federal cybersecurity workforce — the Cybersecurity Workforce Assessment Act (H.R.2952) and the Border Patrol Pay Reform Act (S.1691) (which contains provisions from the DHS Cybersecurity Workforce Recruitment and Retention Act of 2014).