The Pentagon’s proposed 2014 budget outlines a cybersecurity program that is similar to a controversial bill the House is expected to vote on this week.
The Defense Department's funding request would finance "a comprehensive coordinated cybersecurity information sharing system that will serve as the foundation for cybersecurity information sharing requirements across the government." The system, "in real-time," would allow relevant pieces of information to reach authorized personnel throughout the government, so all can "connect the dots in identifying cybersecurity threats,” according to budget documents.
White House budget slides indicate that $79 million would be distributed across the departments of Homeland Security, Justice and Defense to "help agencies and the private sector connect the dots in identifying and responding to cyber incidents." DHS plans to contribute $44 million to the program, in part for "protecting individual privacy and civil liberties,” according to a department 2014 spending summary. Defense’s budget breakdown for cyber is not available yet, Pentagon officials said.
But the "real-time" part of the program requires new legislation, according to Gen. Keith Alexander, who is both head of Cyber Command and director of the National Security Agency.
“It's a legal barrier, not a technical one,” said Ed Skoudis, founder of Counter Hack Challenges. The company built CyberCity, a 3-D model town that government and industry are using to practice securing and attacking private networks.
Only Congress can authorize new privacy and liability protections so that Internet companies do not have to go through lawyers before disclosing, for example, the timestamp on a customer’s email that contained malicious code.
The Cyber Intelligence Sharing and Protection Act, or CISPA, would grant protections and allow NSA into the sharing circle. The House Intelligence Committee approved the measure on Wednesday and a floor vote is anticipated this Thursday.
While Alexander has not explicitly endorsed CISPA, his description of a key element needed in statute sounds a lot like it: The Defense program would require "the ability for industry to tell us in real time, and this is specifically the Internet service providers, when they see in their networks an attack starting. They can do that in real time. They have the technical capability, but they don't have the authority to share that information with us in -- at network speed. And they need liability protection when we share information back and forth and they take actions,” he said at a March Senate hearing.
Interagency and public-private communication loops feed off of each other, federal officials say. When agencies exchange quality intelligence, “this both increases government security and improves the signatures given to industry,” a former Defense official who served until last fall said. Signatures are descriptions of harmful code loaded into anti-virus software to detect threats.
Since joining in would be voluntary for companies under CISPA and current regulations, industry “needs the best possible information in order to see value in participating. Industry then shares with the government, ideally in real-time, thus completing the picture,” the official explained.
But CISPA has detractors in some high places. The Obama administration threatened to veto the measure last year, due to civil liberties concerns. The bill successfully passed the House, yet Senate Democrats, the White House and Republicans could not agree on the scope of interactions.
Last week, committee members tweaked the text to strike a better balance between security and privacy. One amendment requires the government to put restrictions on the use, storage and searching of data submitted by businesses.
Privacy advocates were unsatisfied.
“The core problem is that CISPA allows too much sensitive information to be shared with too many people in the first place, including the National Security Agency,” Michelle Richardson, legislative counsel for the American Civil Liberties Union, wrote in a Friday column on the organization’s website.