Senate Intelligence ‘Very Close’ to Releasing Cybersecurity Bill, Chambliss Says
Senate Intelligence Committee ranking member Saxby Chambliss, R-Ga., said Tuesday he is “very close” to introducing an information sharing bill for cybersecurity protection. The bill, which Chambliss is working on with committee Chairwoman Dianne Feinstein, D-Calif., would be a companion to the Cyber Intelligence Sharing and Protection Act (CISPA), which the House passed in April (CD April 19 p6). The lead sponsors of CISPA, House Intelligence Committee Chairman Mike Rogers, R-Mich., and ranking member Dutch Ruppersberger, D-Md., said Tuesday they're confident the chambers could work out their differences in conference if the Senate acts, speaking at the same Politico-sponsored cybersecurity event. Rogers seemed particularly optimistic, saying efforts to educate House members on the cyberthreat had drastically improved the whip count for CISPA and praising Senate leaders for similar education efforts in recent months.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Chambliss said his bill would establish a central “portal” within the Department of Homeland Security from which cybersecurity information could be shared in “real-time,” emphasizing that “real-time” does not mean “in seconds,” but immediately. Chambliss also said he wanted the bill to provide total liability protection to companies that participate, but acknowledged that he and Feinstein have differed on those liability provisions. He said the protection would give the private sector an incentive to participate in the government’s cybersecurity framework. “If we don’t incentivize the private sector to get involved, then we have totally failed.”
But lawmakers at the event expressed doubt that Congress would address cybersecurity legislation this year, following the outsized debate on the government shutdown and debt ceiling, and following the summer’s surveillance revelations from former contractor Edward Snowden. Several, including House Intelligence Committee member Adam Schiff, D-Calif., and House Armed Services Committee members Tammy Duckworth, D-Ill., and Mac Thornberry, R-Texas, said the shutdown debate would shelve the security issue past the end of 2013 (see separate report in this issue). Others blamed the delay on Snowden. Schiff said the debate will be “significantly impacted” by Snowden’s disclosures, since the “degree to which the public may be willing to have more personal information shared with the NSA or the intelligence community is less than what it was in the pre-Snowden world.” Thornberry said he was concerned the timing had slowed so much since Snowden. “The potential for a devastating attack is there, and we need to act before that.”
House Homeland Security Committee Chairman Michael McCaul, R-Texas, however, said an information sharing bill centering the collection of information within a civilian agency like the Department of Homeland Security is “really what we need right now after Snowden.” He said the information sharing bills had “nothing to do with surveillance,” but also said codifying the information sharing relationship within DHS would ensure the bill was housed in a department with the oversight of a full staff of privacy experts. Duckworth, Schiff and Ruppersberger, the only Democratic lawmakers at the event, expressed their support for the amendment to CISPA that placed the agency within DHS. McCaul also echoed Chambliss’s calls for liability protections, saying liability protections would encourage partnership. “How can you have a true partnership if [information sharing] is forced” through regulation? he asked.
Chambliss and many other officials at the event acknowledged that the next steps for cybersecurity are in the hands of Congress. Chambliss gave President Barack Obama credit for his work on the cybersecurity framework, but said more work is needed. Chris Finan, a Truman National Security Project fellow and former White House cybersecurity director, said the executive order went as far as the president could go, but that it only “gets us to the 10-yard line.” He said Congress would need to pass legislation to get the country’s defenses “to the end zone.” Mandiant Chief Security Officer Richard Bejtlich said, “The framework is like everyone agreeing they're going to play the same game, and putting their pads on. But it doesn’t tell you what the score is. There’s no guarantee it’s going to stop bad guys from getting your data.” Thornberry, however, said the administration still has more to do. He urged the administration to consult with Congress on the broad “rules of action” for engaging in cyberspace, before an imminent attack. “You can’t consult as it’s happening, so you need to have the rules of the game laid out ahead of time,” he said, saying any cyberattack would require an instantaneous response. “The more sorted it is ahead of time, the smoother things will go when electrons start flying,” he said.
On specific provisions within legislation, several speakers disagreed whether the government or companies should be required to strip the information they share with the government of personally identifiable information. Rogers said requiring companies to minimize the data themselves would put “the burden of helping the government help itself … onto smaller companies” that might have to hire someone new to clean the data. Ruppersberger said “participation is what counts.” But Finan said there’s “no reason businesses can’t minimize this data.” He said businesses need the clarity to facilitate business-to-business sharing above all, and emphasized that legislation that gave new liability protection to companies sending information to the government would go “too far.”