On the heels of President Obama's recently issued cyber security executive order, lawmakers are revisiting controversial legislation that also tackles the issue of public-private information sharing to curb cyber threats.
On Wednesday, Reps. Mike Rogers, R-Mich., and Dutch Ruppersberger, D-Md., reintroduced a proposal, known as the Cyber Intelligence and Sharing Protection Act (CISPA), which was approved by the House last April, but never taken up in the Senate.
Supporters of the bill, which codifies the sharing of cyber threat intelligence between the private sector and the U.S. government (and immunizes the former from privacy lawsuits), say the measure is necessary to combat today's sophisticated online enemy.
Chip Tsantes, a principal for information security advisory services at Ernst & Young, told SCMagazine.com on Wednesday that information sharing should be a symbiotic relationship – and CISPA fosters that.
“We are not in an environment where people are compelled to share security mistakes, with the exception of state data breach laws,” Tsantes said. “It needs to be a two-way street, and there needs to be a reward for sharing information, not a punishment. The government needs to learn from private industry and vice versa.”
Still, opponents of the bill, like the American Civil Liberties Union (ACLU), have questioned whether CISPA would allow companies to share consumer data with the government for “undefined national security purposes,” a Wednesday statement from the group said.
The issue came up Thursday during a hearing of the House Intelligence Committee on advanced cyber security threats. CISPA author and sponsor Rogers, who serves as House Intelligence Committee chairman, attempted to quell concerns over privacy of the bill.
"People think they're going to be sharing their personal information back and forth to determine who the bad guy is," he said during the hearing, before adding that that's not the case. He was backed up by Kevin Mandia, founder of Mandiant, an incident response company that often is called in to investigate breaches of big-name firms.
Mandia did his best to describe what is contained within these packets of threat data. "It's all intelligence that has no invasion of privacy," said Mandia, who was providing testimony.
But this did not convince Michelle Richardson, an ACLU lobbyist, who believes the law as written tells a different story. She told SCMagazine.com on Thursday that there isn't surety that personally identifiable information (PII) of consumers will be removed during the information sharing process.
"There's no requirement [in CISPA] that the PII be stripped out," Richardson said.
Meanwhile, Obama's cyber security executive order earned higher grades from privacy advocates. A major objective of the order, signed by the president Tuesday night before he took the stage to deliver his State of the Union address, is to create a channel for federal agencies to share threat information with companies in order to better defend the country's critical infrastructure. CISPA, on the other hand, takes an expanded approach to collaboration, proposing that companies also share information with the government.
Mark Jaycox, a policy analyst and legal and legislative assistant for San Francisco-based digital rights group Electronic Frontier Foundation, told SCMagazine.com Wednesday that CISPA is problematic in that it may encourage companies to conduct surveillance on citizens and pass that information on to the government.
“The bill still has some of the major flaws that it had last session,” Jaycox said. “The bill doesn't [directly] allow the government to monitor networks, but it provides legal immunity and it encourages the companies to do the monitoring and spying, and share it with the government.”
In addition to information-sharing between the public and private sector, specifics of the executive order include identification of critical infrastructure at greatest risk of being attacked. Also, the National Institute of Standards and Technology (NIST) will create a “Cyber Security Framework” within 240 days to be implemented by the Department of Homeland Security.
The framework will provide specific best practices for agencies and companies, but also encourage lawmakers to develop legislation that further supports the goal of the executive order – to protect the country's vulnerable critical infrastructure from cyber threats. Industrial control systems (ICS), which manage large-scale processes like oil and gas production, power generation and water treatment, have increasingly become a point of concern for the White House as the systems are often older and more vulnerable to attack.
The executive order, however, is not legally binding and thus cannot force any companies to share information with the government or among themselves. Thus, adopting the framework is voluntary, though it will include incentives for those that do.
Obama, during his address, called on Congress to also act.