Senate Homeland Security Chairman Willing To 'Marry' Elements of CISA, Other Cyber Info Sharing Bills
Senate Homeland Security Committee Chairman Ron Johnson, R-Wis., said he wants to wait until the Senate Intelligence Committee’s much-anticipated redraft of the Cybersecurity Information Sharing Act (CISA) “winds its way” through committee markup before taking further action within Senate Homeland Security on cybersecurity information sharing legislation. Senate Intelligence Chairman Richard Burr, R-N.C., and Vice Chairwoman Dianne Feinstein, D-Calif., have been circulating a draft of the bill that includes more privacy protections than the bill's 2014 version, but most major privacy advocates already have opposed it publicly. The 2014 CISA cleared Senate Intelligence but never got a full Senate vote. Burr and Feinstein expect to introduce the bill and hold a closed-session markup as soon as Tuesday and definitely before the end of the month, an industry lobbyist told us. Johnson said during a USTelecom event Friday that he wants to “see the reaction” to the reintroduced CISA post-markup. Once “more people evaluate it,” Senate Homeland Security “will hop into the fray” and hold additional hearings, Johnson said.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Johnson said he’s willing to “marry” elements of CISA, the Cyber Threat Sharing Act (S-456) and a separate information sharing bill that House Homeland Security Committee Chairman Michael McCaul, R-Texas, is planning to introduce. Any information sharing bill that reaches the Senate floor needs to have effective liability protections that would encourage sharing, Johnson said, noting, “I am not interested in an information-sharing-in-name-only bill.” CISA is a “good starting point” while S-456, introduced by Senate Homeland Security ranking member Tom Carper, D-Del., is “a little more modest” and reflects a Department of Homeland Security-centric information sharing legislative proposal floated by the White House in January (see 1502120069), Johnson said.
Privacy advocates’ concerns about “sharing information with the NSA or the intel community or the Department of Defense” are valid, but that doesn’t mean legislation should undo existing information sharing mechanisms, Johnson said. He said he has told privacy advocates they should back effective information sharing legislation because recent data breaches on companies like Home Depot or Target “where literally the private information of millions of people are being lost” are “the greatest threat to our individual privacy.” The American Civil Liberties Union and Center for Democracy & Technology were among 26 advocacy groups that jointly raised privacy concerns about CISA last week in a letter to Burr and Feinstein. The bill is effectively another iteration of the controversial Cyber Intelligence Sharing and Protection Act (CISPA) and “does not effectively require private entities to strip out” personally identifiable information, the groups said. Rep. Dutch Ruppersberger, D-Md., reintroduced CISPA (HR-234) in January (see 1501090035). Senate Homeland Security can hold hearings on an objectionable “component of any bill” to address concerns, Johnson said Friday.
The White House continues to believe information sharing legislation is “essential” but sees President Barack Obama’s Feb. 13 executive order (see 1502130048) as a continuation of longstanding administration efforts to improve information sharing without legislation, said Ari Schwartz, White House National Security Council senior director-cybersecurity. The Feb. 13 executive order gave DHS’ National Cybersecurity and Communications Integration Center the authority to make information sharing agreements with information sharing organizations and expanded the existing information sharing apparatus by encouraging the formation of new information sharing and analysis organizations (ISAOs). Obama’s earlier February 2013 cybersecurity executive order and April 2014 joint guidance from the Department of Justice and FTC that cyber information sharing is unlikely to raise antitrust concerns (see report in the April 11, 2014, issue) have also improved information sharing, Schwartz said.
It “remains to be seen” how the Feb. 13 executive order ultimately will affect information sharing in the communications sector, said AT&T Assistant Vice President-Global Public Policy Chris Boyer. The DHS-operated National Coordinating Center for Communications is the communications sector’s current information sharing and analysis center and it appears likely to be grandfathered into the expansion to ISAOs, Boyer said. The FCC’s Communications Security, Reliability and Interoperability Council Working Group 4 has been working on recommendations for adapting the National Institute of Standards and Technology’s Cybersecurity Framework for communications sector use, said Boyer, who co-chairs Working Group 4’s wireline segment. The groups’ final report, to be released March 18, is a “true example of how our sector partnered” with the FCC on cybersecurity issues and is a “solid work product” that will advance use of the NIST framework, Boyer said. NTCA Industry and Policy Analysis Manager Jesse Ward, who's also on Working Group 4, said the group has attempted to “thread the needle” and find ways that small- and medium-sized businesses that aren’t considered critical infrastructure can also use the NIST framework. Former FCC Public Safety Bureau Chief David Turetsky, now an Akin Gump attorney, said he hasn’t been involved with Working Group 4 but believes the report will establish the communications sector “as one of the leaders” in using the NIST framework.