Cybersecurity Intelligence Sharing Remains Stalled on Hill, With Federal Agencies Seen Stepping In
A Senate companion to the House-passed Cyber Intelligence Sharing and Protection Act (HR-624) remains stalled in the Senate Intelligence Committee, as had been expected at the beginning of the year (CD Jan 6 p2). Industry observers told us they continue to see limited prospects for any information sharing bill to emerge from Senate Intelligence and pass the full Senate by the end of the current Congress. At the same time, agencies’ sharing efforts have begun to coalesce in a way that makes legislation less necessary in the near term, some experts say.
Behind-the-scenes chatter indicates that Senate Intelligence remains close to bowing its information sharing bill that would likely be a modified version of the Cyber Intelligence Sharing and Protection Act (CISPA), observers said, but they remain largely unconvinced that a bill could make it through before the midterm election campaign zaps remaining legislative momentum on Capitol Hill. A spokeswoman for Senate Judiciary ranking member Saxby Chambliss, R-Ga., said she had no new updates on the bill’s progress. A spokesman for committee Chairwoman Dianne Feinstein, D-Calif., did not comment. “We'll see if this bill actually shows up,” said James Lewis, director of the Center for Strategic and International Studies’ Technology and Public Policy program. Internet Security Alliance President Larry Clinton said he is “not overly optimistic” that Senate Intelligence can move an information sharing bill now. “I will be pleasantly surprised if a bill of that sort can move through Congress” at this point given the limited time before the midterm election campaign, he said.
The Telecommunications Industry Association remains strongly in favor of information sharing legislation that includes liability protections for participating companies, but also believes the Senate Intelligence bill remains stalled, said Danielle Coffey, vice president-government affairs. “I think it’s fallen victim to other things that are moving through the committee, and obviously also the concerns” about controversial NSA surveillance programs, she said. Continued fallout over NSA surveillance has long been seen to have stymied virtually all cybersecurity legislation on the Hill since information about the programs began to leak last summer (CD Sept 16 p11). One of the major questions the Senate Intelligence bill would need to answer is the role U.S. intelligence agencies would play in any enhanced government-private sector information sharing, said Allan Friedman, a visiting scholar at George Washington University’s Cyber Security Policy Research Institute. A Senate Intelligence bill would also need to address how federal agencies play a role in heightened information sharing and how specifically the government would use any shared information, he said.
If Senate Intelligence does consider an information sharing bill, it’s likely to be different enough from CISPA that it would require some negotiations at conference if it passed the Senate, Lewis said. The Senate Intelligence bill is “a little bit more advocate friendly,” since the committee appears to be working to accommodate privacy groups that voiced significant concerns with the version of CISPA passed last year, he said. The biggest differences appear to be on the treatment of liability and the limitations on what information can be shared, Lewis said.
Congress in general appears to be “taking a step back” from information sharing legislation in order to consider how federal agencies’ implementation of President Barack Obama’s cybersecurity executive order (CD Feb 14/13 p1) plays out, said Mark Jaycox, an Electronic Frontier Foundation policy analyst. The focus has instead largely shifted to cybersecurity research and development bills, he said. The executive order outlines clear practices and procedures for setting up an effective information sharing system, so agencies’ implementation of those practices will determine what sort of information sharing legislation Congress feels is necessary this year and into the 114th Congress, Jaycox said. “We have these robust systems in place and forming,” he said. “Given where the executive order is going, factors are combining to show that we don’t necessarily need a bill from Congress and that policies being developed within agencies are suitable.” Agencies’ progress on information sharing over the next year will likely aid what the 114th Congress does, Jaycox said. “Everyone is waiting and watching to see how this process develops.”
Federal agencies have continued to progress on implementation of the executive order, including work on targeted information sharing at sector-specific agencies, Jaycox said. The Department of Homeland Security issued a report earlier this month assessing privacy and civil liberties practices related to the order’s implementation that also details information sharing efforts within federal agencies. Agencies currently implementing information sharing include DHS, the Departments of Defense, Energy and Treasury, with limited input from several other agencies through the interagency Cybersecurity Information Sharing Working Group, DHS said in the report (http://1.usa.gov/1k4nn5e).
In the absence of legislation, federal agencies can do substantial things to improve information sharing, though information sharing is not itself the “be-all and end-all,” Clinton said. Federal agencies can, with White House support, make clear that information the private sector shares with the government does not end up being used for regulatory purposes, Clinton said. The White House has used “progressive” language in dealing with the cybersecurity issue, but some federal agencies are using rhetoric that “establishes an atmosphere that isn’t conducive to getting industry” to participate, he said. Federal agencies also need to improve their understanding of the economics of cybersecurity, Clinton said. The White House and DHS have substantially improved their understanding of the economics aspect, but that needs to extend into other agencies as well, he said.
The private sector’s concerns about information sharing have focused on the need for liability protections, but they have also been concerned about whether information sharing could be seen as a potential antitrust violation, Jaycox said. The FTC and Department of Justice issued a joint policy statement earlier this month repeating an existing DOJ Antitrust Division analysis that said properly designed information sharing is “not likely to raise antitrust concerns” (CD April 11 p13). The DOJ/FTC statement is a “step in the right direction,” but most in industry do not believe it was an enormous one, Clinton said. Attorneys are already cautioning clients not to interpret the statement “too broadly,” he said. The DOJ/FTC statement is not likely to improve information sharing, since the companies that are most likely to participate are already doing so, Friedman said. “I don’t know of anyone who wasn’t sharing information because it might raise antitrust red flags,” he said. The major impediments to information sharing include economic considerations, the risk of resulting litigation and the need for social reasons to spur on sharing, Friedman said. Still, “any time you can remove a stated obstacle that companies and groups said was a reason they couldn’t share information, that’s not useless,” he said.