Commercial providers of technology and infrastructure want more federal protection to share specific cyber threat information about risky products and services.
Representatives of commercial telecommunications and IT gear told the House Homeland Security Committee that additional liability protections are needed to share information about companies and products they fear might harbor cybersecurity threats.
Although the 2015 Cybersecurity Information Sharing Act provided liability cover for companies to share specific indicator data from cyberattacks, it didn't provide such cover for actual products, Robert Mayer, senior vice president, cybersecurity, at USTelecom, told an Oct. 16 House Homeland Security Committee panel on supply chain security.
"What we don't have is a situation where an organization has a piece of equipment where they discover software or malware or a pattern of activities makes them suspicious" can be shared comfortably among companies, he told committee Chairman Rep. Bennie Thompson, (D-Miss.). That kind of explicit information on such a threat from a product, "would be very beneficial to share" within the commercial ecosystem, said Mayer.
"The lawyers are going to be very reluctant to allow that company to make those kinds of remarks without liability protection," he said. "There are laws in place that could result in litigation."
A top Department of Homeland Security official agreed.
"We want something in place to encourage private sector firms to share information about things they may not have trust" based on their experience or "due diligence," said Bob Kolasky, assistant director of the National Risk Management Center in the DHS Cybersecurity and Infrastructure Security Agency.
Kolasky, Mayer and John Miller, vice president of policy and senior counsel with the Information and Technology Industry Council, all testified at a hearing on the work of DHS' public/private Information and Communications Technology Supply Chain Risk Management Task Force. Mayer and Miller co-chair the task force.
When an agency gets adverse information about products through its intelligence work, "we do a pretty good job of getting that intelligence into the hands" of critical infrastructure owners and operators, Kolasky said.
"We want to expand our authority within the federal government to get it into the hands of [federal] procurement officials" through the [Federal Acquisition Security Council] to create a better repository for such information, he added.
"We lived through this" with the binding operational directive for Kaspersky Lab that prompted federal agencies to find and remove that company's products from federal networks, Kolasky said. "That withstood a court test and indicated to the private sector and state and local governments that we had taken these steps as a federal government that we didn't trust this stuff on our systems. We couldn't tell them not to buy it for their systems, but I think our indicator was very important," he said.
Thompson said he believed legislation addressing the liability issue could be on the horizon.
"I'm a little concerned that there's a reluctance to call out a bad actor for fear of being sued. That might create a vulnerability," he said. Lawmakers, he said, don't have that reluctance if there is a "need to secure our systems."
NEXT STORY: Advanced tech and human operators