President Obama’s recent initiatives to encourage more cyberthreat data sharing are receiving mixed reviews from Congressional leaders, industry groups, and cybersecurity experts, but several committees are moving forward on similar approaches in the hopes of finding a compromise.
In January, the president urged Congress to pass a cybersecurity measure to provide liability protection to companies that share threat information with the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC). The NCCIC would then disseminate the data to relevant federal agencies and to private sector-led information sharing and analysis organizations (ISAOs). Legislation (S. 456) incorporating these provisions was introduced by Senator Tom Carper (D-DE), ranking member of the Senate Committee on Homeland Security and Governmental Affairs.
“While many companies currently share cybersecurity threat information under existing laws, there is a heightening need to increase the volume and speed of information shared without sacrificing the trust of the American people or the protection of privacy, confidentiality, civil rights, or civil liberties,” said Suzanne Spaulding, DHS under secretary for the National Protection and Programs Directorate, at a February 25 House Homeland Security Committee hearing. “It is essential to ensure that cyber threat information can be shared quickly among trusted partners, including with law enforcement, so that network owners and operators can take necessary steps to block threats and avoid damage.”
At a March 4 hearing in the same committee, industry stakeholders told members of Congress that they welcome the President’s proposal, but raised concerns that they do not go far enough in protecting U.S. companies that face liability risks, such as consumer or shareholder lawsuits, when they voluntarily share cybersecurity breach information with government or industry partners.
According to Matthew J. Eggers of the U.S. Chamber of Commerce, a draft cyber threat information sharing bill being circulated by Senate Intelligence Chairman Richard Burr (R-NC) and Ranking Member Dianne Feinstein (D-CA) “reflects practical compromises among many stakeholders on these issues.” It has been reported that the bill will be formally introduced and marked up by the committee as early as this week.
According to Eggers, businesses would not be protected under the President’s proposal when monitoring information systems and sharing or receiving countermeasures. The protected avenues for sharing cyber threat indicators “are far too narrow and limiting and do not reflect the information-sharing relationships that businesses have built up over time, for instance, with DHS, the departments of Energy and Treasury, and law enforcement agencies,” he said.
In addition to his legislative proposals, the President on February 25 directed the Director of National Intelligence (DNI) to establish the Cyber Threat Intelligence Integration Center (CTIIC), a new government agency housed within the Office of the Director of National Intelligence. The CTIIC will combine cybersecurity data from across the intelligence community to produce coordinated cyber threat assessments and a more holistic approach to analyzing cyber threats.
According to a White House fact sheet, “the CTIIC will be a national intelligence center focused on ‘connecting the dots’ regarding malicious foreign cyber threats to the nation and cyber incidents affecting U.S. national interests, and on providing all-source analysis of threats to U.S. policymakers. The CTIIC will also assist relevant departments and agencies in their efforts to identify, investigate, and mitigate those threats.”