The Obama administration renewed its public push Tuesday in support of the Cybersecurity Information Sharing Act ahead of what its backers hope will be a long-delayed Senate debate later this month.
While many privacy-minded organizations and industry trade groups have been quick to denounce CISA, which would give liability immunity to private companies that share cyberattack information with the federal government, White House cyber czar Michael Daniel called the legislation a “critical piece of enhancing the nation’s cybersecurity.”
“The government and the private sector must be able to share relevant information more quickly and in a manner that preserves and protects the privacy rights of all Americans,” Daniel, the president’s cybersecurity coordinator, said at the U.S. Chamber of Commerce’s Cybersecurity Summit. “These two things are not mutually exclusive — we can achieve both of those goals.”
Two versions of the bill have already passed in the House, but it has since stalled in the Senate due to a crowded docket and privacy opposition that’s resulted in numerous amendments. But Daniel said the nation can’t afford to wait any longer.
“Cyber criminals are not waiting to steal our intellectual property or financial data, so neither can Congress wait to pass this legislation,” he said. “We urge the Senate to bring this bill up soon and finish its work on this measure without delay.”
Sen. Dianne Feinstein, D-Calif., spoke about the need to make a “full-court push” for support of the bill as Congress enters a weeklong recess beginning Saturday. Accompanied by CISA co-author Sen. Richard Burr, R-N.C., at the summit, Feinstein described where the heavily amended bill stood ahead of a vote, likely coming after next week’s break, and why companies need not fear it.
“We have a bill that passed our committee 14-1, so it is a strong bipartisan bill,” she said. “It is a limited bill. It is a voluntary bill. No one has to do anything if they don’t want to. But the point of the bill is if a company would like to share cyberthreat-related information with another company or with the federal government, they are covered with liability immunity.”
Alejandro Mayorkas, deputy secretary of the Department of Homeland Security, similarly confronted concerns involving DHS’ role as the central hub for information sharing in the plan, and how it plans to do so in “near real time.”
That differs from real time, he said, in that it allows DHS “to scrub an automated form of personally identifiable information and other information that carries with it significant privacy interests that do not necessarily serve the discrete interests of the enforcement or investigative communities.”
The goal of the bill, Mayorkas continued, is to make sure that “the harm that one company suffers today will not be a harm that another company suffers tomorrow.”
“If one shares that information across one’s industry and even more broadly, then the cyberthreat indicator information will enable other companies to guard against that very same [attack] and develop the defenses to prevent it from inflicting harm again,” he concluded. “That is how we raise the bar of the cyber hygiene ecosystem collectively.”
And from an infrastructure perspective, information sharing becomes even more imperative, as about 90 percent of American infrastructure is in private hands, said Elizabeth Sherwood-Randall, deputy secretary of the Department of Energy.
“That is a striking fact, and when you work in the federal government and have the responsibility as we do as a sector-specific agency, you realize you cannot do it alone,” she said. “You’re very dependent on your private sector peers. So we have to work together in this partnership between government and industry to improve cybersecurity capabilities. And information sharing is absolutely vital to our success.”
Still, CISA, and information sharing in general, continues to receive a pummeling from its privacy-favoring opponents.
Federal respondents to a recent Ponemon Institute study found threat intelligence sharing to be largely ineffective. “While almost every federal, state and local respondent says gathering and using threat intelligence is essential to a strong cybersecurity posture, they report their organizations are not able to collect and use it effectively,” a report on the study says. Only 29 percent of federal officials said “collection and use of actionable intelligence from such sources as vendor-supplied threat feeds is ineffective.”
Others have criticized it for “incentivizing oversharing.”
Regardless of the divide CISA has created, both sides tend to agree on one thing — America, and particularly the federal government, is losing at cybersecurity.
“I think it has become painfully obvious that the way that we’ve been going about cybersecurity in the federal government is not working,” Daniel said.