The related provisions would implement major recommendations from the Cyberspace Solarium Commission.
The White House is threatening to veto the National Defense Authorization Act if it contains a number of provisions from the House, including those for public-private cyber threat intelligence sharing activities recommended by the Cyberspace Solarium Commission.
Sections of the House bill calling for a cyber threat information collaboration environment (Sec. 1631) and defense industrial base participation in a threat intelligence sharing program (Sec. 1632) “do not adequately reflect the Director of National Intelligence’s statutory responsibility to protect intelligence sources and methods with regard to cybersecurity threat intelligence related to information systems operated by agencies within the Intelligence Community,” reads a statement of administration policy released Tuesday.
The proposals are based on recommendations from the Cyberspace Solarium Commission, and their inclusion was celebrated by commission members such as Rep. Jim Langevin, D-RI. The provisions have bipartisan support and are also included in the Senate’s NDAA. The idea is that they would start to build trust between the public and private sector for greater collaboration in tackling cyber threats.
“We wanted to create this joint collaborative environment where we're going to give them more information, but we're also expecting more in return as well,” Langevin said in an interview with Nextgov.
The Solarium Commission, which included bipartisan members of Congress, the administration and the private sector, was even willing to provide liability protections for certain companies, such as major telecommunications, energy, transportation and water providers deemed “systemically important critical infrastructure,” in exchange for strengthening their defenses.
“They're going to have to make their systems more secure, they're going to have to work with us more closely to better protect their systems but in exchange for that we're going to give some liability protections, if they do what is required,” Langevin said. “So it would be a special designation, they would be systemically important critical infrastructure. For those types of companies, there's a real public interest involved in making sure that they're secure and safe as possible and we have to work more closely with them in this joint collaborative environment so they can better protect themselves.”
Amendment 2095 to the Senate NDAA spells out the liability protections companies want, in addition to more government intelligence, in exchange for working more closely together.
The administration’s veto threat notes support for the intent of the provisions that would provide the organizational structure for such collaboration, but the document says they don’t explicitly protect the intelligence community’s sources and methods, in one case, and duplicates efforts from the administration in another.
“With respect to section 1631, the Administration supports appropriate collaboration on cyber threat information within the United States Government,” the document reads. “The Administration, however, strongly objects to the lack of an opt out provision reasonably tailored to address sources and methods [in] information sharing related to such systems. With respect to section 1632, the Administration expects to use the rulemaking authority in subsection (e) to address similar concerns.”