Sen. Saxby Chambliss, R-Ga., the senior Republican on the Senate Intelligence Committee, said Tuesday he and committee Chairwoman Sen. Diane Feinstein, D-Calif., are close to introducing a bill designed to enhance cybersecurity information sharing between the government and the private sector.
"We're very close to having a cybersecurity bill," Chambliss said, speaking at the Cyber7 event in Washington, D.C., sponsored by Politico. The bill would be the equivalent of the House's Cyber Intelligence Sharing and Protection Act, which passed in April, and would establish a mechanism for real-time information sharing about cybersecurity threats between the government and the private sector.
According to Chambliss, the bill would provide liability coverage for private owners and operators of critical infrastructure and would create an information-sharing portal located within the Department of Homeland Security to facilitate information sharing between DHS (and by extension, the National Security Agency), as well as between private industry verticals, such as the energy and banking sectors.
Privacy advocates have called upon lawmakers to place ultimate responsibility for cybersecurity under civilian agency control at DHS. But NSA plays a critical role in detecting cyber-attacks and developing cybersecurity intelligence about strategic threats to the U.S. critical cyber-infrastructure. That role, however, has come under fire in the wake of the leaks by former NSA contractor Edward Snowden that detailed the agency's domestic surveillance programs.
"You can't have protection from a cybersecurity standpoint without the NSA being involved," Chambliss said. However, he acknowledged that while cybersecurity legislation had been at the top of Senate's agenda, the Snowden controversy and the ensuing focus on reforming the Foreign Intelligence Surveillance Act have stalled the measure.
Although Chambliss said he still believes he and others can work together to produce a bill Democrats and Republicans can reach agreement on in the House, others on Capitol Hill are doubtful that meaningful cybersecurity legislation will pass this year.
Part of the reason is that "we're not in the post-Snowden era yet," said Rep. Mac Thornberry, R.-Texas. "I'm fairly optimistic that we could do an information sharing bill," he said. "But because of Snowden, it is hard politically to move forward."
Rep. Michael McCaul, R-Texas, chairman of the House Committee on Homeland Security, said CISPA had garnered a lot of momentum in the House, but the ballooning controversy over the Snowden leaks "put the breaks on" the legislation. Many wrongfully characterized the bill as yet more government surveillance of private networks, he said. "It's not a surveillance bill. It codifies the [federal] interface to the business community," he said. "I think we've worked out a lot of the privacy concerns."
Specifically, McCaul said CISPA would "create a safe harbor" within the National Cybersecurity and Communications Integration Center, DHS' central cybersecurity command center, to enable cross-sector information sharing.
Rep. Adam Schiff, D-Calif., outlined four areas lawmakers are still trying to agree on:
- The scope of the information gathering;
- The purpose for which that information can be used;
- What agency will take the lead?; and
- To what degree should the private sector be required to remove personally identifiable information from the data it shares with the government.
As a result of the Snowden leaks, lawmakers have made the least amount of progress on the privacy controls, Schiff said.
For Rep. Tammy Duckworth, D-Ill., the combination of the government shutdown and the Snowden leaks have created a perfect storm of obstacles to meaningful cybersecurity legislation in 2013.
"It's sounding like we might go all the way to the debt ceiling," said Duckworth, referring to the pending Oct. 17 deadline for raising the federal debt ceiling limit.
And as far as CISPA is concerned, Duckworth said the key to her support is for the "whole program" to be under civilian authority. "I do not want a general in charge of privacy protection of personally identifiable information for government-industry information sharing," she said.
When asked if these obstacles could be overcome before the end of the year, Duckworth was not optimistic.
"I think it's very wishful thinking," she said.