The cyber bills are starting to multiply.
House Homeland Security Committee Chairman Michael McCaul (R-Texas) said Tuesday he would release this week a draft of a bill to make the Department of Homeland Security (DHS) the point agency on public-private cyber threat data sharing.
“We are in a pre-9/11 moment when it comes to cybersecurity,” McCaul said during remarks at the Center for Strategic and International Studies. “In the same way legal barriers and turf wars kept us from connecting the dots before the 9/11 attacks, the lack of cyber threat information sharing is leaving us vulnerable to our enemies.”
The bill would give companies legal liability protections when sharing cybersecurity information with the DHS cyber hub, known as the National Cybersecurity and Communications Integration Center (NCCIC).
The measure will join a growing cache of cyber information-sharing bills in the House and Senate.
Lawmakers, government officials and most industry groups agree the public and private sectors need to exchange more cyber data to bolster the nation’s defenses against hackers.
But congressional action has been tied up over the specifics.
The Senate and House Intelligence committees want to allow cyber data sharing directly between private firms and intelligence agencies, such as the National Security Agency (NSA), which has concerned privacy advocates.
McCaul, the White House and a growing bipartisan group of lawmakers want the DHS to serve as the lead portal for public-private cyber data exchanges.
“DHS has some of the strongest privacy protection mechanisms in the federal government,” McCaul said. “Such built-in privacy oversight is an important reason why DHS is the leading civilian interface for these exchanges.”
And the NCCIC, in particular, is ideally suited to manage such an exchange.
“The NCCIC is not a cyber regulator,” McCaul said. “It cannot prosecute you and it is not a spy agency. It’s a civilian interface.”
McCaul wants to mark up his bill within the next two weeks and get it to the floor by the end of April.
That timeline could lead to a direct clash with a Senate Intelligence Committee cyber info-sharing bill that passed out of committee last Thursday. Senate leaders are hoping to get it to a floor vote by mid-April and to the House floor shortly after.
The Senate bill — the Cybersecurity Information Sharing Act (CISA) — would allow non-electronic info-sharing between private firms and intelligence agencies. All electronic sharing would go through the DHS, a change seen as an attempt to assuage privacy concerns. Privacy groups have thus far been unswayed, arguing the data will be shared within the government anyway.
The House Intelligence Committee is expected to mark up a similar bill.
While Senate Democrats and the White House have expressed reservations about CISA’s privacy provisions, McCaul supports the Intelligence panel’s efforts.
The parallel bills aren’t necessarily mutually exclusive, he said.
“We think DHS is a primary portal, a lead portal because of this civilian interface,” he said. “However, if a member company wants to go to NSA as a portal, we’re going to allow for that as well.”
Congress’s actions on these bills will determine how the country tackles cyberattacks for years to come, McCaul believes.
“This will be landmark,” he said. “This will create how we deal with cybersecurity for the next decade.”