The Cybersecurity Act of 2015 has been in effect for six months, but Congress and the Homeland Security Department say tweaks are needed to encourage more information sharing from industry.
A panel of cybersecurity experts appearing before the House Homeland Security subcommittee on cybersecurity, infrastructure protection and security technologies said Wednesday that industry needs greater assurance that participating in CISA is in their best interest.
“CISA is part of a mix of cybersecurity policies that need to advance together,” Matthew Eggers, executive director of cybersecurity policy at the U.S. Chamber of Commerce, told the subcommittee.
Early information-sharing leaders and Information Sharing and Analysis Centers (ISACs), he said, have improved the quality and volume of cyber threat information under CISA, but said government needs to better recruit small business and the “intrigued but cautious.”
In crafting CISA, which passed in late 2015, Congress spent hundreds of hours in outreach to industry partners in energy, health care, financial services, technology, telecommunications and retail.
While pushing CISA across the finish line in late 2015 was a significant accomplishment years in the making, Rep. John Ratcliffe (R-Texas), the subcommittee chairman, said Congress doesn’t get to enjoy its victory lap just yet.
“Congress’ job doesn’t end when a piece of legislation is signed into law, and that’s especially true when it comes to cybersecurity legislation. Continued oversight is essential to making sure that the bill is implemented in a manner that actually improves our cyber defenses. If agency guidance isn’t clear, if tweaks need to be made, we want to hear that feedback, and we want to address those concerns,” he said.
Through the law, DHS’ National Cybersecurity and Communications Integration Center (NCCIC) serves as the civilian portal for the sharing of cyber threat indicators between government and the private sector.
“We understand the existing liability we have today with sharing threat information, sharing breach information. We just want to make sure, and we’ll hopefully find it in the additional guidance, that we’re not increasing our liability for either good faith acts or lack of action based on lack on cybersecurity indicator,” Mordecai Rosen, general manager of the security business unit at CA Technologies, told the subcommittee.
Rep. Michael McCaul (R-Texas), the full committee chairman, said the federal government needs to better lay out the “rules of the road” for how information is shared with NCCIC, and to make sure data exchanges are efficient, timely, and secure.
“Even with the fundamentals in place, we still have major vulnerabilities, especially lack of information sharing. After 9/11 we learned that if our agencies did not connect the dots, we could not stop attacks. The same principle applies to cyber threats — if no one shares data, everyone is less secure and intrusions go undetected,” McCaul said.
Mark Clancy, the chief information officer at Soltra, said NCCIC’s definition of personally identifiable information is different from that of other DHS programs. He urged for greater clarification.
“It is critical that clarity be provided quickly by DHS to ensure top protections by all who participate in the program,” Clancy said.
Ola Sage, chief executive office at e-management, agreed that small business, if they are even aware of CISA, don’t usually realize the benefits of sharing cyber threat information under CISA.
“We recognize the law is new and though it applies to any size organization, today it is largely an interest of larger companies with greater infrastructure and resources,” Sage said.
Better visibility of the law , she added, could be achieved through existing outreach and awareness programs with the Small Business Administration, or by working with Chambers of Commerce, small business associations, and trade groups.