DHS makes the case for cyber info sharing bill as Senate prepares to vote

The Department of Homeland Security’s second-in-command is joining a growing chorus of Obama administration officials in calling for the Senate to pass the Cybersecurity Information Sharing Act of 2015.

DHS Deputy Secretary Alejandro Mayorkas said Oct. 22 that partnering with industry on cybersecurity is crucial, and CISA would lubricate the lines of communication between government and the private sector.

“In the cyber arena, specifically, we look to the private sector as a partner. We don’t actually view ourselves as leading, as opposed to viewing ourselves as co-leading with the private sector in developing an ecosystem…that raises the level of cybersecurity,” Mayorkas said during an Atlantic Council event in Washington.

Mayorkas said that because the private sector controls the use, development and advancement of the Internet they are much-needed partners for government as technology progresses.

Advertisement

He added that DHS is creating an operational landscape where government and industry can share cyber information.

“We can take that information, divest it of personal information and disseminate it very broadly to raise the ecosystem,” Mayorkas said.

The operational model and the partnership could be improved by the Cyber Information Sharing Act, which is now being debated by the Senate and likely will come to a vote next week, Mayorkas said.

DHS Secretary Jeh Johnson also endorsed the bill in an Oct. 22 statement.

The bill breaks down legal barriers that prohibit companies from sharing information about cyber threats with the government.

The Senate agreed by unanimous consent today to schedule a vote for the final passage of the bill on Oct. 27. The House already passed its version of CISA in April. If the Senate passes the bill, it will go to conference and then be voted on again by both legislative bodies.

CISA has become somewhat of a perennial bill. A version of it has been introduced and failed passage for the past six years, but this year it has garnered larger support due to the prevalence of cyber attacks.

The Senate still needs to vote on a bundle of amendments to the bill. The legislative body rejected an amendment by Sen. Rand Paul (R-Ky.) Oct. 22 that would have taken away companies’ liability for sharing customers’ information.

Other amendments, which have yet to be voted on, include a provision by Sen. Sheldon Whitehouse (D-R.I.) that would let U.S. courts pursue international cyber criminals. Sen. Jeff Flake (R-Ariz.) introduced an amendment for the bill to expire in six years.

Another amendment includes requiring DHS to review all cyber threat indicators, and countermeasures to remove certain personal information and one to make the cyber information nonexempt from Freedom of Information Act queries.

Sen. Tom Cotton’s (R-Ark.) has drawn considerable attention for his change that would  let companies share data not only with DHS, but also with the FBI and Secret Service.

That may push some senators who are on the fence against the bill, since they already harbor concerns about citizens’ privacy.

Opponents of the bill say the authorities in it can be used as a vehicle for the government to collect more data on private citizens.

While companies are sharing information about cyber threats, a lot of that information also carries personal information on customers. Companies track where people go, what they buy and other data. Critics are skeptical that that information can be parsed from pure cyber threat data.

Senators such as Bernie Sanders (I-Vt.) and Ron Wyden (D-Ore.) have been outspoken critics of the bill.

Tech companies such as Apple and Dropbox also have come out against the bill.

“We don’t support the current CISA proposal,” Apple said in a statement to The Washington Post. “The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.”

The Computer and Communications Industry Association, a membership organization for technology companies, also doesn’t like CISA.

“CISA’s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government.  In addition, the bill authorizes entities to employ network defense measures that might cause collateral harm to the systems of innocent third parties,” an Oct. 15 release from the organization states.

Still, supporters of the bill say cyber is changing the way civil liberties are viewed.

House Intelligence Committee chairman Devin Nunes (R-Calif.) said last month that the United States has reached a tipping point when it comes to cybersecurity legislation because of recent cyber events.

Over the last year, several high profile cyber attacks have compromised government, corporate and citizen data. Most recently, almost 22 million current and retired federal workers’ personal information was exposed in a hack on the Office of Personnel Management.

In 2014, industry reported it detected 42.8 million cyber attacks a day, according to a survey by PricewaterhouseCoopers.