Senate Homeland Security Committee Tests White House Cyber Information Sharing Proposal
The Senate Homeland Security Committee tested possible parameters of cybersecurity information sharing legislation Wednesday. Ranking member Tom Carper, D-Del., said the committee is examining how to combine elements of the White House’s cybersecurity information sharing legislative proposal with provisions in previous legislation. Industry witnesses said they preferred many provisions of the White House’s proposal to coordinate private sector information sharing with the government through the Department of Homeland Security rather than tactics outlined in the controversial Cyber Intelligence Sharing and Protection Act (CISPA) and the Cybersecurity Information Sharing Act (CISA).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Witnesses declared a preference for privacy provisions in the White House’s proposal. The proposal from the White House, released earlier this month (see 1501130059), would require companies to “scrub” personally identifiable information from any cyberthreat data it shares via DHS. CISPA and CISA, a CISPA-equivalent bill that the Senate didn’t vote on during the last Congress, “didn’t go far enough” on civil liberties protections, Scott Charney, Microsoft corporate vice president-Trustworthy Computing Group, said. Addressing customers’ privacy concerns is important and it’s “right” to center discussions around providing strong privacy protections that also allow sharing, he said. Requiring companies to strip out PII and seeking only narrowly tailored cyberthreat indicators will be “fruitful” in passing a bill, Marsh & McLennan General Counsel Peter Beshar said.
The White House's proposal “does a pretty good job” of requiring the removal of PII data, but Congress should still delay passing information sharing legislation until it reforms NSA surveillance practices, Center for Democracy & Technology senior counsel Greg Nojeim said. Leaks about NSA surveillance programs in June 2013 effectively arrested Congress’ work on information sharing legislation during the last Congress, with industry observers tying any chance for CISA passage to Congress enacting the USA Freedom Act (see 1411070037). The Senate failed to pass its version of the USA Freedom Act, effectively killing CISA’s chances.
FireEye Chief Security Strategist Richard Bejtlich said Congress should pair information sharing legislation with an update to the Computer Fraud and Abuse Act to curb the “trust deficit” created by the revelations about NSA surveillance. Committee Chairman Ron Johnson, R-Wis., said that privacy protections will be a major focus in any information sharing legislation the committee considers. Still, "the threat in terms of loss of privacy is really even greater" if Congress doesn’t pass a bill, he said. Rep. Dutch Ruppersberger, D-Md., reintroduced CISPA (HR-234) earlier this month, but industry lobbyists told us the bill’s prospects remain unchanged (see 1501090035).
Several witnesses want changes to some elements of the proposal before it's finalized. American Express Chief Information Officer Marc Gordon said he’s concerned the proposal doesn’t include liability protections for company-to-company information sharing. Liability protections need to cover such sharing because so much of the current information sharing apparatus is centered on that type of sharing, he said. If liability protections cover only private sector-to-government sharing, it will “incent us away” from company-to-company sharing, Gordon said. Charney said he wants Congress to consider how any information sharing legislation it produces will be perceived overseas since some countries may emulate a U.S. law.