DHS, Commerce leaders differ on how to calm cyber info sharing liability fears

Commerce Department Secretary Penny Pritzker said Tuesday that fostering collaboration between private business and the government needs to mature in order to improve the nation’s cybersecurity posture. 

“Quite simply the federal government cannot regulate cyber risk out of existence,” Pritzker said during a U.S. Chamber of Commerce event. 

The Cybersecurity Information Sharing Act, or CISA — legislation that created an information sharing portal between the private sector and Department of Homeland Security last year — is a good first step but “more strategic real world cooperation” will require additional legislation and further outreach, said Pritzker. 

While CISA is more so focused on technical machine-readable threat information, a Commerce Department spokesperson said that Pritzker is calling for “additional business-to-government cooperation between people, leaders, and institutions … the comparison is like the difference between diagnostic information (CISA) and treatment options.” 

CISA offers a level of liability protection for participants, as user data is directly scrubbed of all personal identifiable information and storage of such data falls to DHS. 

Pritzker proposed a “reverse miranda protection” as a mechanism to spur more information sharing by businesses; meaning that information disclosed by companies during the course of an incident response cannot be used to regulate or pursue legal action against them. 

“Even as companies and agencies begin to speak the same language of cyber risk management, we are not yet having a truly candid, actionable conversation because we lack the legal support structure necessary to do so,” Pritzker said, “The problem is that the relationships between regulators and the businesses they regulate are inherently adversarial.”

Nevertheless, liability is a concern for numerous companies who have already engaged with the FBI, said David Johnson, associate executive assistant director of the FBI. Today, the bureau’s cybersecurity approach continues to focus on developing relationships and generating trust. 

Differing from Pritzker’s opinion, DHS Deputy Secretary Alejandro Mayorkas was less enthusiastic of drafting new, additional legislation to counter companies’ lingering fears.

“I worry about implementing too many protections through a regulatory process or even a statutory process only for this reason: in our effort to promulgate statutes, legislation or regulations, I would not describe the federal government as nimble,” said Mayorkas. “The cybersecurity landscape is so dynamic and so rapidly evolving that what I worry about is the implementation of the regulatory level of protection of what is occurring to date, but by tomorrow, won’t work perfectly well.”

He added, “I hope we will employ our policy making skills with presidential directives and assist in providing a protective framework in a more nimble fashion … here, in the cybersecurity realm, the standard of care is not well defined.”