recommended reading

Bipartisan cybersecurity bill aims to spur industry-government sharing

House Intelligence Committee Chairman Mike Rogers , R-Mich., and ranking member Dutch Ruppersberger , D-Md., introduced legislation on Wednesday that would provide a channel for the government to share classified intelligence with the private sector to protect against cyberattacks.

The bipartisan bill would make it easier for government to share information with companies, without forcing the firms to do anything about it. It would also exempt companies from any liability if they share information with the government--something that worries privacy advocates such as the American Civil Liberties Union.

"The American private sector is working incredibly hard to protect itself," Rogers told an audience at the National Cable and Telecommunications Association on Wednesday. "The best thing that we can do is remove the barriers that make it hard for industry to share information and defend themselves, and provide government information in support of these efforts."

"Our intelligence agencies collect important information overseas about advanced foreign cyber threats that could dramatically assist the private sector," he continued. "The government needs to be able to better share this threat intelligence so that the private sector can protect its own networks."

Under the Cyber Intelligence Sharing and Protection Act of 2011, the director of national intelligence would outline a framework for the intelligence community to share classified intelligence about cyber threats with the private sector. Information about systems' vulnerabilities--or direct attempts to disrupt them or steal information--could be provided to those with security clearances specially charged with receiving this information.

The private sector could then, in turn, share information about cyber threats with the federal government on an anonymous and voluntary basis, and with other participating companies so long as the information is not used to gain an unfair competitive advantage. Private companies would receive immunity from lawsuits if they act in good faith and share their data--and also could not be prosecuted for failing to act on the information about threats they receive.

"They're just going to blow a hole through all the privacy laws on the books for cybersecurity purposes," ACLU's Michelle Richardson told The Washington Post.

Rogers pushed back against criticism that the bill contains no mandate requiring companies to act on information they receive about critical vulnerabilities. "These companies are under assault every single day, in some cases, individual companies tens of thousands of times a day. Their IT shops can barely keep up," Rogers said, adding that these threats can cost companies millions of dollars. "It's in their own best interests to cooperate."

The bill is narrower than Senate proposals, which favor more sweeping cybersecurity regulations. House Republicans have largely steered away from significant government regulations or mandates on industry, instead favoring cybersecurity incentives for private firms to boost their own security and share information.

"Our challenge to the intelligence community, to Congress at large, to the White House, has been: 'Don't dangle this bill up with all your hopes and aspirations of the final solution to cybersecurity,' " Rogers said. "That's not what this bill does. This bill is a very narrow, very important first step of providing a forum to get classified threat information to the companies who can use it best to protect a broad swath of networks across the country."

Rogers said that lawmakers on both sides, including Reps. Jim Langevin , D-R.I., Michael McCaul , R-Texas, Adam Schiff , D-Calif., and Mac Thornberry , R-Texas, support the bill. "The reason you can get all those people is because it is a very narrow, focused bill," Rogers said.

Last month, a House GOP task force, composed of representatives of nine committees with jurisdiction over cyber issues, called for industry-friendly cybersecurity incentives. "Change occurs so fast in this area that attempts to directly regulate a specific cybersecurity solution will be outdated by the time it is written," the task force concluded.

The bill already has support from industry. IBM's vice president of government relations, Christopher Padilla, said that the legislation "provides a solid framework and useful legal protections to permit the timely flow of actionable threat information in order for organizations to better protect themselves and customers."

Threatwatch Alert

Stolen credentials

Hackers Steal $31M from Russian Central Bank

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download

When you download a report, your information may be shared with the underwriters of that document.