The Cybersecurity Information Sharing Act bill really centers around two areas: providing technical requirements for the Homeland Security Department on how to set up a “real-time” cyber indicator sharing network, and providing liability protection for organizations sharing data.
The real questions are: Are either of these provisions necessary? And do we need to tie them together?
The first area is, frankly, the easiest to dismiss. Congress has a very poor history of providing technical requirements to other parts of government. The Director of National Intelligence, DHS, Defense Department and the Justice Department have some very capable technical resources between them and a large number of people who can whip together a process and program for sharing cyber indicators.
Why then does Congress feel the need to provide explicit directions for these programs? Is there some insight that Congress has learned that they feel these agencies do not understand?
It feels disingenuous to prescribe to a technical organization how to run a technical program of this nature. If you are to trust its stewardship with these organizations, why not also trust its inception?
For the most part, all of the requirements set forth throughout the bill would be ones that would naturally arise while trying to follow existing laws or provide a compelling technical solution. It simply would not be effective if this information was not disseminated in a timely manner nor would any governmental organization take on the risk of sharing personal information of an innocent bystander without layers of fail-safe precautions.
The second area — related to the liability protection — is a little more interesting.
Here, the unwritten assumption is that organizations do not share information due to a concern that they will be held liable for some legal violation. However, that assumption falls flat on two fronts.
First, the same organizations that would benefit from this “protection” are lobbying against this act. They do not see these protections as a benefit to their organization (and these are companies who take security as a core part of their business). But the more important issue at hand is that these organizations are already, effectively, sharing cyber indicators. They share them with each other, and they share (and receive) them with the federal government. There are longstanding organizations such as Financial Services-Information Sharing and Analysis Center (FS-ISAC) —and the 19 other flavors of “ISAC” — established explicitly for this purpose.
These organizations have been extraordinarily successful and there has been a recent boom of private companies and open exchanges that have only added to the availability of this data. Organizations are already sharing cyber indicators without concern of liability and they are doing so effectively.
Now, if we assume that DoJ, DHS, DoD and the DNI have capable technical resources and effective program managers, and that we have more than 10 years of organizations sharing cyber indicators without concern over liability — then why do we need a law to establish a consolidated program?
We have the effective, market-driven solution to a technical problem, we do not need government regulation to help us along.