The Senate likely will bring the Cybersecurity Information Sharing Act (CISA) to the floor after next week’s recess, but if discussion among industry, agencies and Congress is any indication, consensus over what that legislation will look like won’t come easily.
The bill’s co-sponsors, Senate Select Intelligence Committee Chairman Richard Burr (R-N.C.) and ranking member Dianne Feinstein (D-Calif.), said they are open to changing the legislation — as long as it stays true to the fundamental basics of the bill.
One of those key points, they said, is that agencies and private companies should be able to share information with each other in real time.
“It has to transmit in real time, not just from a business-to-government, but from government-to-government,” Burr said Oct. 6 at the U.S. Chamber of Commerce’s annual cybersecurity summit in Washington. “We can’t have one part of government hold up that data from being broadcast to all of the agencies that would be pertinent to the forensic needs and the identification of the attack software that might be used.”
But Homeland Security Department Deputy Secretary Alejandro Mayorkas made a clear distinction in favor of “near-real-time.”
“The reason why we — and supported by the administration — believe profoundly that the term ‘near-real-time’ is so critical is because it allows us to scrub — in an automated form — personally identifiable and other information that carries with it significant privacy interests that do not necessarily serve the discrete interests of the enforcement or investigative communities,” he said.
DHS has already been working on tools to share threat data in near-real-time. Mayorkas said the department and the Obama administration agrees and accept DHS’ position as the portal for such information.
Feinstein said initially agencies such as the FBI or Defense Department were considered to be possible portals to receive threat data, but that idea quickly changed.
“It was actually [former NSA Director] Keith Alexander who came to our committee and suggested the concept of a DHS portal in real time, in the belief that this could be done in real time,” Feinstein told reporters Oct. 6. “I have heard no one say that it couldn’t. DHS has entered the picture and said they want some hands on this. But the key is real time. Alexander believed it could be done real time, so I think it’s the appropriate standard.”
Both senators agreed CISA doesn’t protect agencies from every single kind of cybersecurity threat, but it’s a start, they said.
“This is a bill to minimize data loss,” Burr said. “We don’t portray that anything in this bill stops you from being targeted and penetrated. But it makes our response time — as long as we keep the process in real time — it keeps the process to where we can minimize the overall data loss from any attack tool to any country or individual that wants to commit it.”
Despite some discrepancies in the legislative language on DHS’ role in sharing threat information, Mayorkas said he wants to see CISA pass quickly.
“My hope is that the current legislation that is currently working its way through Congress passes,” he said, “and that the trust deficit that we have experienced over the past few years is addressed favorably.”
Trust between industry, government still elusive
The trust deficit Mayorkas described was further demonstrated when one member in the summit audience asked during an industry keynote, “why should we trust the government?”
“Because you have to,” Tom Fanning, president and CEO of the Southern Company, said in response.
For industry, sharing threat data in real time with the government will open up greater privacy questions.
Mayorkas said he understands their concerns and described pressure between the public and private sectors as mutual.
“Companies sometimes feel tension with cooperating with enforcement on the one hand and perhaps cooperating with government’s remedial efforts on the other,” he said. “And just as the private sector feels that tension, quite frankly, the discussions [are] going within the government about that very same tension.”
Mayorkas said industry and government need to build a mutual understanding and foster a culture of confidence with each other, but that relationship, which he said has widened in a post-Snowden era, has a long way to go.
“We have to shrink that chasm and build a bridge so that it really becomes a thing of the past,” he said. “Until we overcome at least the level of distrust that exists or has existed over the past few years, we’re going to have an uphill battle.”