The top Republican and top Democrat on the Senate Intelligence Committee are nearing agreement on a cybersecurity bill designed to bolster the sharing of minute-to-minute cyber threat information amongst private sector companies and with the government.
Sen. Saxby Chambliss (R-Ga.), the vice chairman of the intelligence committee, said he and Sen. Diane Feinstein (D-Calif.), the committee chairwoman, still have some minor differences of opinion to work out, but he’s optimistic that the Senate can join with its House colleagues and move forward with an information sharing bill by the end of 2013, and before Congress moves into another election year.
“We’re very close to having a cybersecurity bill,” he told a cyber conference hosted by Politico Tuesday in Washington. “Had we not been interrupted by the NSA revelations by Edward Snowden and the need for [Foreign Intelligence Surveillance Act] reform, we probably would have already been there by now, because that was next on our plate.”
Chambliss said there’s broad agreement that the legislation needs to incentivize private sector companies to share information on any malicious code their firms encounter, both by providing them with liability protections that would shield them from lawsuits that could otherwise follow from sharing information with competitors or with the government, and by convincing them that federal agencies are capable of securely communicating threat information between the private and public sectors.
He said that information exchange mostly would happen through a portal operated by a civilian agency, most likely the Department of Homeland Security.
“Cyber information will go into that portal and be shared in real-time, and I emphasize real-time,” he said. “If it’s nearly-real-time, then we’re behind the curve. Once we get to that point, the issue becomes purely a matter of what countermeasures are implemented and who dictates that, and when the liability kicks in. We’re pretty close to agreeing on that, but we’re not quite there yet.”
Chambliss said he and Feinstein have been developing their bill in close consultation over the past year with Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.), their counterparts on the lower chamber’s Intelligence Committee.
“So if we can get something done on the Senate side, we think we can come together and bridge our differences in philosophy between the House side,” he said.
According to Chambliss’ description, the Senate proposal would largely mirror the current version of Rogers and Ruppersberger’s legislation, the Cyber Intelligence Sharing and Protection Act (CISPA). The House passed an earlier version of the legislation in the spring, but it provoked a White House veto threat.
The Obama administration said it strongly supported the goal of public and private sector information sharing, but it quarreled with provisions that would have made the National Security Agency the hub for the exchange of data. Later amendments to the bill made DHS the center of activity instead.
The White House also said Congress wanted to give companies more of a blank check from legal liabilities than they actually needed.
There’s also disagreement over the concept of “minimization.” All parties agree that any information that’s shared should be scrubbed so that it doesn’t contain personally identifiable information about Americans. The White House’s stance has been that companies should have at least some responsibility to remove personal information before they send it to each other or to the government.
DHS in charge of sharing
But Rogers believes any law that puts the onus on the private sector would impede participation in the program. Large firms who have the technical capacity and capability to handle minimization will do so, he said.
“But the other ones that can’t do it won’t do it. And that means they won’t share, and that means a vulnerability in our system,” Rogers said. “But then it’s going to go to the government anyway, which is already required by law to minimize. Who can do that better than anyone? It’s the NSA. They do it, we watch them like a hawk, and we kick them when we think they’re not doing it. My argument is we should have the best filter for [personally-identifiable information], and it should not be run at the expense of businesses, because defending the country should be all of our expense. And we’ll get more participation.”
The current version of CISPA would put DHS in charge of the information sharing program rather than the NSA. The change came about via an amendment by Rep. Michael McCaul (R-Texas), the chairman of the Homeland Security Committee, who also is working on his own bill to give DHS the lead role in a comprehensive public-private information sharing program.
Like the intelligence committee proposals, the legislation would create voluntary incentives to share, he said. “They’re not right now,” he said. “They’re not incentivized to share with the government, the government does share some information with them, but most importantly, they’re not incentivized to share information with each other across sector lines. We want to create a safe harbor within the [National Cybersecurity and Communications Integration Center] at DHS where these sectors can actually participate on the watch floor and share information with liability protections.”
Individual lawmakers and influential committees have been trying, and failing, for the last several years to pass some type of cybersecurity legislation.
And while several members of Congress who are active on the issue say the time is ripe right now, they also acknowledge that any proposal that combines the words “government” and “cyber” is a lot more politically risky at the moment, because of the ongoing saga surrounding national security disclosures by former NSA contractor employee Edward Snowden.
“We have a perception problem, and we need to deal with that,” said Ruppersberger, whose district includes the NSA’s headquarters. “My constituents get up every day and work hard to protect this country just like the military, and they want to feel good about themselves as Americans. We have to find a way to restore that trust.”
Snowden blurs real intent
NSA’s director, Army Gen. Keith Alexander, has appeared in numerous — if sometimes tightly controlled — public fora over the past several months to make the case that his agency spends as much time making sure it doesn’t trample on constitutional rights as it does monitoring the Internet for malicious actors overseas.
He contends that his agency’s use of its authorities under FISA have been widely misunderstood and misinterpreted by the media and by members of Congress.
“The facts have been greatly sensationalized and inflamed, not informed,” he said during the Politico event. “If people are that far off on this program, where are we going to go on cyber? It’s much more difficult to understand for many of the people who help write the laws. They need to understand the facts. We’re a foreign intelligence agency. Ours is a noble cause. It’s to defend this nation and to protect our civil liberties and privacy. It’s not either-or, we have to do both… the oversight and compliance regimen we have is better than any country in the world.”
And the public dialogue surrounding the Snowden situation has obscured the reality of the information that would be shared under any of the pending or proposed cybersecurity bills, said Richard Bejtlich the chief security officer at Mandiant, a private IT firm.
“The type of information we’re talking about sharing is not Americans’ personal information,” he said. “The privacy community, which I love, has been very vocal about this, but they don’t understand the types of information that will be shared. You will not find anyone’s name, date of birth, browsing habits, none of that. We’re talking about technical indicators that show how bad guys are breaking into networks. I don’t see why that type of information should be held up.”