In its latest legislative proposal on cybersecurity, the White House is advocating for liability protections for companies who agree to share cyber threat information with the government and with one another. But Department of Homeland Security officials freely acknowledged Wednesday that legal immunity will not, by itself, open the floodgates to the privately-held threat information DHS thinks it needs to help defend the country from cyber attacks.
Besides granting companies limited criminal and civil liability immunity, the Obama administration’s proposal would set up privately-operated Information Sharing and Analysis Organizations (ISAOs) — voluntary groups that would, in theory, let the private sector send threat data at light speed to each other and then, optionally, into DHS’ National Cybersecurity and Communications Integration Center at the same pace.
“Voluntary” is a key word. To make the system work, DHS knows it will have to prove itself as trustworthy, including to many companies who are skeptical of sharing information of any kind with the U.S. government unless they absolutely have to. Much of that skepticism has nothing to do with fear of lawsuits.
“There’s never been a harder time to convince companies to share with the government. There’s also never been a more urgent time to put the indicators together so we can respond to an adversary that has an infinite appropriation and does whatever they want,” said Dr. Phyllis Schneck, the DHS deputy undersecretary for cybersecurity and communications.
In a House Homeland Security Committee hearing Wednesday, Rep. Curtis Clawson (R-Fla.) summed up some of the corporate considerations that have little to do with legal liability.
“I’m trying to imagine myself in the position of the CEO of a multinational corporation,” he said. “I’ve got stakeholders and data centers all around the world and a board of directors that’s not all Americans. I’ve got an enterprise resource planning system that I’ve worked for years to get integrated around the world. I accept that cybersecurity is important and that we’re dead if we don’t have it. But liability protections only help one of my stakeholders: the shareholder. My world is much more complicated than that. I’m being asked to tell my board that we’re going to start sharing data with the U.S. government, we’re still working out the details, but you’re going to have to trust us on what we’re going to share, even if you grew up in the Czech Republic or Russia where you’ve been spied upon your whole life. It feels to me like you all have got a tough sale.”
Yes, the department does, said Suzanne Spaulding, DHS’ undersecretary for the national protection and programs directorate, who said she heard many of the same concerns in the months leading up to the administration’s proposal.
But she said DHS hopes companies will agree to share information not solely on the basis of blind trust, but will — after having seen the program in action for a while — conclude that the types of information DHS is asking for are not the stuff of Big Brother.
“Yes, the devil is in the details,” Spaulding said. “But the good news is that as we move to automated information sharing, those details will be apparent to everyone.There will be total transparency about the specific types of information we’re seeking and sharing, because we’re creating a structured way of presenting that information that will detail very specifically the details we want to get. Limiting this to cyber threat indicator information — which is very technical information about, for example, the IP addresses that are sending malware to disrupt equipment — is information that’s less sensitive. But every company will have to make its own decisions. It’s not a silver bullet and it’s not going to make every company open its doors. But it does address some of the concerns we’ve heard from the private sector.”
The information sharing environment DHS would like to foster requires the department to walk several fine lines as it seeks to reassure several parties that it is not engaged in a takeover of the nation’s cybersecurity.
For example, officials said they have no intention of interfering with any sector- specific information sharing arrangements individual companies might have already reached with agencies like the FBI, the Treasury Department or the Energy Department — even though those person-to-person relationships will likely be much slower to react than the machine-to-machine information sharing scheme DHS envisions.
Also, the department wants to preserve the opportunity for companies to share information at least with each other through industry-only channels even if they’re reluctant to send it to the government, reasoning that more sharing within the broader cybersecurity ecosystem is better than the status quo. So it’s seeking to assure industry that the ISAOs it is attempting to establish with forthcoming grant money will be truly independent from the government.
In the meantime, the department will need to work to convince companies that they stand to gain from sharing cyber threat data with the government, Schneck said.
“We are going to have to earn their trust,” she said. “It’s my scientific belief that there will be a benefit in getting our data, and you don’t have to give anything at first in order to get it. It’s voluntary. I think the companies will see that.”
The ISAOs the White House proposes in its legislation and that it sought to “encourage” in a subsequent executive order will share information among their corporate members while also building in a forthcoming set of best practices that DHS hopes to begin creating through an independent private foundation. The practices are intended, for example, to reassure companies that any information they share with the organizations they’ve joined won’t be shared with outsiders without their consent.
But if they do decide to share information with the government, there are still several policy concerns to be ironed out, including exactly how much responsibility private companies will bear for scrubbing their data of potential privacy-sensitive information that might point back to their customers, or that might have a bearing on federal privacy laws.
“The companies have a responsibility to make a good-faith effort,” Schneck said. “But this is a policy puzzle that’s being solved each day by working together with each different equity, including the private sector, law enforcement and the intelligence community. We’re doing our best to get everybody to design that.”
For its part, DHS says companies — and Congress — should feel reassured by the fact that it already has a robust privacy infrastructure in place, including the government’s first-ever statutorily mandated privacy office.
Like the rest of DHS’ activities, Schneck said, the cyber sharing program will be subject to oversight by that office, and like all of DHS’ other programs, will have its own publicly-released privacy impact assessment.
“We can balance speed and privacy,” she said. “We need to make sure our defensive capabilities are as strong as they can be, which means putting all of this data together. It takes everybody to work this, and part of the reason it’s going to take us more than a few months to build this capability is that we have to do it with the right privacy and the right equities to get it right.”