House Cybersecurity Democrats Concerned About DHS Information Sharing Program Participation
Several House Cybersecurity Subcommittee members raised concerns during a hearing Wednesday about what they view as sluggish private sector participation in the Department of Homeland Security's Automated Indicator Sharing (AIS) program, which DHS set up as part of its implementation of the Cybersecurity Act of 2015. The Cybersecurity Act, which Congress passed in December as part of the FY 2016 omnibus spending bill (see 1512180052), codified the DHS National Cybersecurity and Communications Integration Center's role as the main civilian hub for cyberthreat information sharing. The bill also enacted strong liability protections for information sharing and required private sector entities to remove personally identifiable information (PII) from data prior to sharing. Industry stakeholders told House Cybersecurity they're optimistic that private sector participation in the AIS program will increase over time and attributed sluggish early uptake of the program to stakeholders' cautiousness about participating in the program's earliest stage and the need for finalized information sharing rules.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
House Cybersecurity ranking member Cedric Richmond, D-La., led several subcommittee Democrats in questioning the AIS program's early results, saying DHS-provided information showed only about 30 private sector entities actively participating in AIS by Wednesday. About 100 total entities were signed up to participate, Richmond said. DHS launched the AIS program in March after certifying its operability, so it's still “too soon to make a definitive judgment” about the private sector's willingness to participate in the voluntary program, said U.S. Chamber of Commerce National Security and Emergency Preparedness Department Executive Director-Cybersecurity Policy Matthew Eggers. “We are fairly confident” the number of active participants in the AIS program will grow in the coming months.
The release Wednesday of final DHS and Department of Justice information sharing rules may give some firms enough confidence to begin participating in the AIS, Eggers and other industry witnesses said. House Cybersecurity Chairman John Ratcliffe, R-Texas, said the subcommittee would do everything in its power to ensure that the final DHS-DOJ rules “explicitly” clarify that the Cybersecurity Act's provisions cover information sharing among private sector entities amid industry confusion about whether the law's liability protections extended beyond information shared with the federal government. “Congress’ job doesn’t end when a piece of legislation is signed into law and that is especially true when it comes to cybersecurity legislation,” he said. DHS and DOJ began developing their information sharing rules soon after the Cybersecurity Act language was enacted but had until Wednesday to release final guidance.
The final rules, which DHS and DOJ jointly announced in Wednesday's Federal Register, state that the Cybersecurity Act “authorizes private entities to share cyber threat indicators and defensive measures with other private entities. … It also provides private entities with liability protection for conducting such sharing in accordance with CISA.” The finalized rules included guidelines for protecting privacy and civil liberties in information sharing, operational procedures and specific guidance for sharing information with the federal government and among nonfederal entities. Eggers and other witnesses said they hadn't had a chance to review the final DHS-DOJ guidelines, but Eggers said he expects the private sector will become more comfortable with the AIS program once they have a chance to review the rules.
Congressional Cybersecurity Caucus co-Chairman Jim Langevin, D-R.I., said he's also concerned about the private sector's rate of participation in AIS program, saying he expected more entities to at least participate in receiving cyberthreat data from DHS even if they weren't comfortable with sharing information with the department. USTelecom Vice President-Industry and State Affairs Robert Mayer told House Cybersecurity he believes “progress is being made” but it's “overly optimistic” to expect that entities would be actively participating in AIS just six months after the Cybersecurity Act's enactment. The “prudent thing for a lot of companies right now” is to monitor the AIS program and ensure outstanding issues with its rules and implementation get resolved before they become active participants, Mayer said. The process for becoming credentialed to participate in AIS is lengthy, as is the process of ensuring that a firm's systems are interoperable with the AIS software, said Soltra CEO Mark Clancy. Congress will have a better sense of the AIS program's success as time progresses, and if participation is still low in December “we're in a very different place,” Clancy said.