Hope springs eternal for cyber laws after House approval

The House made it two-for-two Thursday by passing another cyber information sharing bill.

Lawmakers overwhelmingly supported the National Cybersecurity Protection Advancement Act (H.R. 1731) by a vote of 355-63. The passage of this bill followed Wednesday’s approval of the Protecting Cyber Networks Act (H.R. 1560) by a similar vote of 307-116.

With the passage by the House and at least initial support from the White House, these two bills are closer to becoming law than any previous attempts to improve public-private cyber information sharing.

“It has taken some time for lawmakers to understand the magnitude and consequences that potentially are at risk,” said Bob Dix, the vice president of government affairs and critical infrastructure protection for Juniper Networks. “It has become a more significant risk factor that has continued to grow and evolve, and as a result of some of the high profile breaches we’ve seen, it’s drawn greater attention for lawmakers, for the administration, for leaders in state and local governments, and for CEOs and other executives in the private sector across a wide range of industries. That’s all a positive thing. Now we are at a tipping point, where leadership in Congress and leadership in the administration are coming together, which is not happening every day here in Washington on issues. It’s a great step forward, but we have to remind folks, and that will be part of our mission in industry, that the job isn’t done. These are good first steps, but there is more work to do.”

The House has passed information sharing bills previously, but none have received much attention or support from the Senate or the White House.

But Dix and others say the difference this time is how lawmakers from both sides of the aisle worked with industry and the administration to craft bills that are at least palatable, specifically around liability protections for the private sector and building off of the initial success of the cybersecurity framework being led by critical infrastructure providers with help from the National Institute of Standards and Technology.

“Removing the legal barriers for the voluntary sharing of cyber threats will help keep malicious nation states and cyber criminals out of our vital digital networks,” said Rep. Mike McCaul (R-Texas), sponsor of H.R. 1560, in a release. “This bipartisan, pro-privacy, pro-security bill has been three years and hundreds of stakeholder meetings in the making. I look forward to moving this landmark bill over to the Senate and getting it to the President’s desk as quickly as possible.”

Tom Kellermann, chief cybersecurity officer for Trend Micro, said both bills are proactive and forward leaning, and will empower a public-private partnership, which is something that has been lacking for some time.

“We have not been able to share information like the hackers have. The reasons why we continue to lose in cybersecurity is because the hacker community shares more information than the public and private sectors,” Kellermann said. “Both of these bills allow for a forum, a clearinghouse to be created at the NCCIC [National Cybersecurity and Communications Integration Center], and a capacity for private sector corporations to contribute to the U.S. government’s efforts to essentially civilize cyberspace.”

Pumping up the NCCIC

Both bills approved this week are trying to address similar problems.

The National Cybersecurity Protection Advancement Act, which the House approved Thursday, calls for the NCCIC within the Homeland Security Department to expand its coverage to tribal governments and be the lead federal civilian interface for multi-directional and cross-sector sharing of information related to cyber threat indicators, defensive measures, and cybersecurity risks for federal and non-federal entities.

It also gives industry liability protections to share cyber threat information with the government, which has been a major sticking point in previous bills.

H.R. 1731 would provide liability protections for companies to conduct network awareness, or share indicators or defensive measures. It also establishes a private “cause of action” that a person may bring against the federal government if a federal agency intentionally or willfully violates restrictions on the use and protection of voluntarily shared indicators or defensive measures.

Finally, the bill would exempt from antitrust laws non-federal entities that, for cybersecurity purposes, share cyber threat indicators or defensive measures, or assistance relating to the prevention, investigation, or mitigation of cybersecurity risks or incidents.

Better model needed

Dix said the NCCIC hasn’t lived up to its initial vision of five years ago, in part, because of the lack of integration and collaboration across critical infrastructure sectors.

“The architecture of creating a series of one-off agreements with stakeholders doesn’t scale. It’s not joint and integrated and it’s not cross-sector. While that may have served a purpose at the beginning, in the view of those at DHS, there has to be a recognition now that that model is insufficient to meet our national needs in a global environment,” Dix said. “One of the original plans was to have full integration with our international partners and allies as part of the operation of the NCCIC. While we’ve made progress, we are not full to the point of integrating state and local governments, tribal governments, international allies and a broad range of our private sector stakeholders, especially in the critical infrastructure community.”

He added there are only four Information Sharing and Analysis Centers (ISACs) that work in the NCCIC on a regular basis.

“We can be better than that,” Dix said. “How do we get a national capability that scales, that is timely, reliable and actionable so the objective of improving detection, prevention and mitigation is where we get to instead of spending so much of our time in response and recovery where we largely are today?”

The Protecting Cyber Networks Act, which passed the House Wednesday, focuses on creating procedures for the intelligence community to share classified and unclassified cyber threat data with the private sector.

Within 90 days of the bill becoming law, the Director of National Intelligence (DNI) would have to submit to Congress new procedures for sharing this data.

The bill also would require the President to submit to Congress procedures for the departments of Commerce, Energy, Homeland Security, Justice and Treasury and the DNI to receive cyber threat indicators and defensive measures from the private sector.

The procedures must include an audit capability and appropriate sanctions for federal officers, employees or agents who use shared indicators or defensive measures in an unauthorized manner.

H.R. 1560 also would codify the Cyber Threat Intelligence Integration Center (CTIIC) within the DNI and make it responsible for ensuring that appropriate agencies receive all-source intelligence support to execute cyber threat intelligence activities and perform independent, alternative analyses; for disseminating threat analysis to the President, federal agencies, and Congress; and for coordinating federal cyber threat intelligence activities and conduct strategic planning.

Sharing organizations are complementary

Dix said the fact that the Protecting Cyber Networks Act includes the ability of other agencies beyond DHS to continue and improve upon long-standing relationships with specific sectors is a major change from previous bills.

“Some companies, and ours is one, have a long and strong relationship with the FBI, as an example. I think the key is how do you correlate the data flows?” he said. “This has been a gap that I think has not been addressed by the legislation. I’m hoping as we continue to move forward that we will improve our ability to gather, correlate and analyze information flows and be able to identify patterns and trends of anomalous or abnormal behavior in order to issue alerts in a timely manner.”

Dix said the comparison he often makes is the ability to bring weather data together to save lives and reduce risk when storms are approaching. He hopes the new powers for the NCCIC and CTIIC can help agencies and vendors react around cyber like communities do for bad weather.

Kellermann said the two bills are complementary even though they are creating two similar organizations for the private sector to share cyber threat data.

“The CTIIC will be focused more on national security issues where as the NCCIC will be focused on economic security issues and the security issues that impact critical infrastructure,” he said. “We have to appreciate that 85 percent of the critical infrastructure is owned by the private sector and thus you need a civilian organization like the NCCIC and DHS to help us coordinate the protection of that. That being said, we are being attacked in unprecedented fashion from nation states around the world and we need to truly mobilize the DNI as well as the NSA to combat those threats. And we need great capacity to share information vis-a-vis the threats coming out of, let’s say, Eastern Europe at this time.”

Members of the Senate have introduced companion bills to the House, but they are not exactly the same. The White House supported both bills, raising concerns that sweeping liability protections could grant immunity to companies that fail to act on information they receive about the security of their networks.

Those concerns could be addressed if the House and Senate eventually merge their bills.

Federal data breach law still needed

Kellermann and Dix agree these bills are good, but there is plenty more that needs to be done.

Dix said Congress and the administration need to figure out how to address the economics of cybersecurity. He said a package of incentives, which doesn’t necessarily include money, is needed to drive investments by companies of all sizes.

“One of the greatest impediments to investing in cybersecurity is the cost,” he said. “We want to have a better understanding of risk, threats and the potential consequences and attended costs. Cybersecurity is not an open checkbook, so we need to be thinking about all the stakeholder communities.

Kellermann said there are two areas where Congress should act next.

The first is creating a federal data breach notification law to harmonize all the different laws at the state level.

The second is modernizing the money laundering statutes to incorporate electronic forfeiture of assets to go after the money that he said is fueling the cyber crime underground.

“With data breach reporting you actually force the boards and the offices of organizations to really pay attention to this issue and stop looking at it solely as a technology issue,” Kellermann said.


House bill offers liability protection for information sharing

New cyber threat center to fill gaps in information sharing

Senate Intelligence Committee finalizing version of cyber sharing bill