Cyber Information Sharing Legislation Still Needed, Federal Officials Say
The U.S. government needs to continue to push for expanded cybersecurity information sharing capabilities as a way to protect critical infrastructure sectors, federal officials said Tuesday during a Billington cybersecurity conference. Recent federal efforts have focused on expanding information sharing via legislation like the House-passed Cyber Intelligence Sharing and Protection Act (CISPA), but former federal officials and industry stakeholders expressed doubts that Congress can complete effective legislation during the 113th Congress. The Senate Intelligence Committee cleared its own CISPA equivalent, the Cybersecurity Information Sharing Act (CISA), but industry officials have said they're increasingly pessimistic that the full Senate will vote on the bill this year (CD July 30 p6 ).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The White House has focused its efforts on pushing for Congress to pass information sharing legislation, but is also “looking for ways that we can continue to try to knock down barriers” through action in federal agencies, White House Cybersecurity Coordinator Michael Daniel told reporters. Daniel said the FTC and Department of Justice issued a joint policy statement in April repeating an earlier DOJ analysis that properly designed information sharing is “not likely to raise antitrust concerns” (CD April 11 p13). He declined to say what additional steps federal agencies could take.
NSA Director Michael Rogers, who also heads the U.S. Cyber Command, said during the Billington event that he remains a major advocate for federal information sharing legislation, which needs to contain liability protections for industry partners who share information. Both CISPA (HR-624) and CISA (S-2588) include liability protections. Former CIA and NSA Director Michael Hayden, now a Chertoff Group principal, said he’s skeptical the Senate has the time or the will to pass CISA. There was already a lack of consensus among members of Congress and the public about cybersecurity legislation before the leaks about the NSA surveillance programs began in the summer of 2013, and the “mob mentality” resulting from those leaks has probably “frozen progress” on information sharing not only for the 113th Congress, but possibly also for the 114th, Hayden said.
Retired Brig. Gen. Gregory Touhill, now the Department of Homeland Security (DHS) assistant secretary-cybersecurity operations and programs, said information sharing remains something DHS remains hopeful will move forward. FireEye CEO David DeWalt said he’s a “huge fan” of CISPA but it’s only one step in improving information sharing.
Cybersecurity remains a difficult problem to fix because people still don’t fully understand the economics and psychology of cybersecurity, Daniel said. The U.S. is still making strides in improving cybersecurity through implementation of President Barack Obama’s 2013 cybersecurity executive order, along with other technical cybersecurity work and international work to promote and protect the multistakeholder Internet governance model, Daniel said.
The White House is also readying an update to its analysis of potential incentives to encourage industry use of the National Institute of Standards and Technology’s Cybersecurity Framework, Daniel told reporters. That update is likely to come in the form of a blog post, as it has in the past, he said. That update will likely occur in October or November, possibly to coincide with October’s National Cyber Security Awareness Month, Daniel said.
The U.S. will need to start assuming that “there will be a cyber dimension increasingly in almost any scenario that we're dealing with,” including in international conflicts, Rogers said during the event. Nation-states and other actors “feel that this is an area worth investing in, because it achieves positive outcomes for them if they can penetrate systems,” he said. Rogers said the Islamic State of Iraq and the Levant terrorist group has been “aggressive” in using the Internet to show videos of beheadings, but would not discuss media reports that the group has pledged to create a “digital caliphate” nor would he assess the group’s cybersecurity threat. U.S. Cyber Command plans to expand to 6,200 employees by 2016 to aid its cyberprotection efforts, Rogers said.