The bill, H.R. 3523, also would encourage a voluntary approach for companies to share IT security information back to the government. “All we are attempting to do is give the private sector the ability to protect themselves,” said Rep. Dutch Ruppersberger (D-Md.), co-sponsor of the bill and ranking member of the Intelligence Committee. “We can protect the government side or intelligence side, but need to give the ability to the other side to protect themselves.”
The Cyber Intelligence Sharing and Protection Act build off of the Defense Industrial Base (DIB) pilot. DoD launched the test in August with 37 vendors with a goal of sharing threat signatures, or information, about potential cyber attacks.
DoD has transferred the program to the Homeland Security Department with an eye toward expanding the program to more than 200 companies over the next year.
“We are seeing a number of areas just based on data collections from those companies that we are getting information on threats we would not have seen otherwise, and they are getting information from each other as well as from us about what the threats are and what the mitigation could be,” said Teri Takai, DoD chief information officer, at a recent House Armed Services hearing. “That complements well the DIB pilot process which was focused around the Internet Service Providers and being able to take the information sharing and moving it to the protection piece.”
DIB pilot to expand
DoD will expand the program when an interim rule is completed. DoD currently is reviewing comments on the DIB proposed rule.
Gen. Keith Alexander, commander of the U.S. Cyber Command, told lawmakers last month that it’s that type of information sharing that is most important to protecting agencies and the nation against cyber attacks. “This will scale, the approach we are taking with the DIB pilot, in terms of the technical capability to protect all that we need to protect,” Alexander said. “Where other solutions that we’ve put forward do not scale as easily or are so cost prohibitive that from our perspective going to the DIB pilot or managed security services or whatever we will call it, is probably the best thing to do for the country in the cheapest, most efficient way.”
What Ruppersberger and Rep. Mike Rogers (R-Mich.), chairman of the Intelligence Committee and co-author of the bill, are doing is taking the concepts from the DIB pilot and putting it into law.
Their bill also would update a 1947 bill that limits how classified information is shared.
“This was a year in the making and included hundreds of meetings to try to put something together that dealt with the very serious challenge of nation state actors both planning for cyber disruption attacks against the U.S. and our allies as well as a nation state focused effort to steal property for the sole purpose of harming the economy,” Rogers said.
The 13-page legislation requires the Director of National Intelligence to create a process to share classified cyber data with properly cleared private sector individuals.
The only information that can be shared both ways is cyber or national threat information, which is a key point of the bill.
Protecting privacy and civil liberties are a major focus in the bill
Rogers said the bill keeps the protection of privacy and civil liberties on the front burner.
“The bill authorizes the private sector to anonymize or minimize the cyber threat information it voluntary shares,” he said. “Those companies can make that determination what they think they minimally need to share in order to solve their problems. We think that is also very limiting and encouraging to folks who are concerned about civil liberties protections. There are very strong limitations on the government’s use of this information. It must be protected from disclosure outside the government. The government may not search the cyber threat information for non-cyber or national threats information.” In fact, Rogers said they are working on a provision to the bill that would let companies sue the federal government for improper disclosure of cyber threat information to the public.
Rogers and Ruppersberger said the intelligence community inspector general will review annually how government handles and protects the cyber threat information and will make recommendations to improve upon it.
Ruppersberger added the committee is considering another provision to give the Homeland Security Department a larger role in working with the private sector.
“We are communicating with the White House on a regular basis and they have some issues they want us to work on,” he said.
Roger said they also are writing language that would require DHS to receive copies of the voluntary received cyber threat information and clarify the department’s role in sharing information with other federal entities.
“The bill would make clear it would grant no new authority to DoD or the intelligence community to require or direct any public or private cyber efforts,” Rogers said.
Dozens of cyber bills competing for time
The Rogers-Ruppersberger bill becomes the latest one of more than 30 to try to address the growing threat of cyber attacks.
Their bill most closely resembles the legislation introduced by Sen. John McCain (R-Ariz.) in March. His bill would take a “hands off” approach to oversight of critical infrastructure protection.
Another bill, from Rep. Dan Lungren (R-Calif.), would create a public-private sharing non-profits.
And finally, the leading cyber bill, introduced by Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine), Jay Rockefeller (D-W.Va.) and Diane Feinstein (D-Calif.), would take yet another approach. It would give DHS the role of convener to create with industry minimal cyber standards that the companies would either self-certify or have a third-party independently validate their controls.
House and Senate leaders have pledged to bring up the cyber bill as soon as possible, but no specific date or timeframe has been publicly discussed.