New Legislation on Threat Intelligence Sharing May Have a Chance

Wednesday, January 28, 2015

Anthony M. Freed


After years of political wrangling, apprehensions about corporate liability, and a host of data privacy objections, Congress finally moved on the passage of some key cybersecurity legislation in December.

But the four bills that were approved last month did not address all of the top concerns, namely the creation of an information-sharing platform that would enable better information exchange about cyber-based threats between the public and private sectors.

Similar legislation had died in the Senate last year, but President Obama opened the door for new proposals in his recent State of the Union address, and key Congressional committee members in both the House and Senate are planning to introduce new legislation soon.

“The president’s proposal is an important first step in developing that legislation,” said chairman of the Senate Homeland Security and Governmental Affairs Committee, Senator Ron Johnson, who scheduled a hearing for this Wednesday on the need for information-sharing.

“Cybsecurity is not a Republican or Democratic problem. It’s a serious problem that both parties have the same self-interest to solve before something really devastating happens like an attack against our electric grid.”

The main obstacle to the passage of information-sharing is concerns that businesses may share too much private information about their customers with the government, an issue that has some civil liberties groups lined up to oppose any such legislation.

“We don’t think any bill is necessary,” said Gabe Rottman of the American Civil Liberties Union. “The high-profile hacks we’re hearing about tend to be cases where the companies need to more careful in defending their own systems. An information-sharing bill would not have stopped any of those hacks.”

Obama had threatened to veto previous iterations of information-sharing legislation based on similar concerns, but the administration’s willingness to discuss how these obstacles can be circumvented to come to a consensus gives supporters confidence that the White House and Congress can come to an agreement.

“We think it’s very important that the administration wants to get engaged and wants a seat at the table to discuss the bill with lawmakers and the private sector,” said Matt Eggers of the U.S. Chamber of Commerce.

“It’s good that the administration has made the cybersecurity information-sharing bill a priority. Once the Senate and House pass the bill and send it to the president’s desk, we would expect that he would sign it.”

The most significant piece of legislation passed in December was S. 2519, the National Cybersecurity Protection Act of 2014, which was designed to further enhance the Department of Homeland Security to collaborate with the private sector on security issues through information sharing efforts via the National Cybersecurity and Communications Integration Center (NCCIC).

While this was a significant step in formalizing the processes for the sharing of cybersecurity intelligence, the bill did not address issues raised by the private sector regarding providing immunity against lawsuits for private companies that share security threat and data breach information with the federal government, one of the other big obstacles to the passage of similar legislation.

Congress also approved S. 2521, the Federal Information Security Modernization Act of 2014, which updates the 2002 Federal Information Security Management Act in order to better organize federal government cybersecurity management efforts under the authority of DHS.

The other two bills passed last month included S. 1691, the Border Patrol Agent Pay Reform Act of 2014, which in part allows eDHS the ability to expand the department’s cybersecurity workforce, and H.R. 2952, the Cybersecurity Workforce Assessment Act, which requires DHS to carry out regular assessments of that cybersecurity workforce and provide updates to Congress on its status.

Cross-posted from Norse's DarkMatters Blog

Possibly Related Articles:
legislation Threat Intelligence cybersecurity S. 2521 S.2519 sharing
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.