Fight over cyber information-sharing bill revived at RSA

CISPA has received strong support from a range of industry groups that say the measure will help them receive valuable government intelligence about forthcoming cyber threats so they can thwart an attack on their computer systems, which helps keep consumer information safe from hackers. Companies also say the bill will encourage them to share more information about threats they spot on their computer networks with the government because it provides a set of legal protections for industry — including liability protection from lawsuits if they suffer an attack.

ADVERTISEMENT
But privacy and civil liberties groups have warned that CISPA will allow companies to share people's electronic communications directly with the National Security Agency (NSA) and others in the intelligence community.


Privacy advocates argue that a civilian agency, like the Department of Homeland Security (DHS), should oversee intelligence-sharing efforts and act as the first point of contact for companies before cyber threat data gets funneled to the NSA. They note that civilian agencies are subject to more oversight.

Under CISPA, companies can share data about cyber threats with a set of agencies and departments in the federal government, including NSA and DHS. The bill leaves it up to the companies to decide which agency they want to share cyber threat data with.

Yet companies will likely choose to share information directly with NSA rather than DHS because the spy agency's cyber capabilities are viewed as top-notch, Dempsey argued.

"A lot of people say, 'Well, we don't trust DHS, or DHS doesn't have the expertise.' Ok, but we need to put an effort into digging ourselves out of this hole. We need to put effort into building the civilian side capability for cybersecurity," he said.

"If [a bill is] neutral, the center of gravity, the inertia flows into the direction of NSA, which is perceived as having the experience and the ability we need" to combat cyberattacks, Dempsey added.

Two staffers for the House Intelligence Committee countered that the bill is aimed at setting up a flexible information sharing-system that encourages, rather than deters, companies to share cyber threat data with the government so future cyberattacks are prevented.

"I would just stress that the civilian side is going to play a large role in the solution. The intelligence community, DHS and FBI all have missions that they are going to contribute," said Michael Allen, majority staff director for the House Intelligence Committee. "We are trying to write a bill flexibly enough that will work. We understand we have to build the confidence of others so that companies will want to participate in it."

Heather Molino, minority staff director for the House Intelligence Committee, said bill intends to take advantage of information-sharing programs already in place in the federal government.

"We do want to build DHS up, but we don't want to be redundant either," Molino said. "There are capabilities that are already available in another areas of the government. In this time, where the government is trimming down, we don't want to be spending money when we can just be coordinating information [sharing] across different government agencies. We don't want to make duplicative efforts."

Privacy groups also argue that CISPA will allow the government to use the cyber threat information that companies share with them for a broad set of law enforcement purposes other than cybersecurity. However, Molino said Rogers and Ruppersberger narrowed the bill so cyber threat data could only be used by law enforcement for five specific purposes, such as to protect national security or prevent harm of a child.

"We tried to narrow this very particularly so that we won't get more [data] than we needed," she said.

Privacy groups supported the information-sharing section of a Senate cybersecurity bill that failed to pass last year, arguing that the measure is more tailored and narrow. The House and Senate could come together in conference on CISPA and whatever legislation the upper chamber puts forward, a Senate staffer said.

Clete Johnson, professional staff counsel for the Senate Intelligence Committee, said CISPA's bill text could be narrowed. He noted that the Senate bill specifically said cyber threat data from companies could be used by law enforcement to prevent "death and serious bodily harm," rather than just for national security purposes. 

"I think the concern with the phrase national security is it can be a very elastic thing," he said, adding that it could be interpreted broadly to include non-cybersecurity matters like immigration and food safety.

Johnson said the Senate Homeland Security and Commerce Committees will have a joint hearing next month on the cybersecurity executive order issued from the White House. He said the Senate measure will likely include feedback that Senate Commerce Committee Chairman Jay Rockefeller (D-W.Va.) received from Fortune 500 companies about cybersecurity legislation.