SAN FRANCISCO – The House of Representatives is considering a pair of information sharing bills this week. Also up for consideration is a data breach notification bill that is not likely to make it into law any time in the near future.
According to a panel of experts at the RSA Conference, the House will merge the two information sharing bills into one and pass it along to the Senate, which will add its amendments and ultimately pass the bill along to the president, who will sign the threat data sharing bill into law in the near future. Experts agreed that the threat sharing bill is very likely to become law before the June 1 sunset date for the surveillance-enabling Section 215 of the PATRIOT Act, as Congress intends to keep the data sharing and surveillance debates separate.
Tom Corcoran, a former Congressional staffer and head of cyber threat analysis at Zurich Insurance Group, noted that the NSA surveillance and spying information revealed by whistle-blower Edward Snowden have made the process to pass a strong data sharing law much more complicated. Ryan Gillis, the president of cybersecurity strategy and global policy at Palo Alto Networks, added that Congress would be smart not to bundle any surveillance reform related provisions into the threat sharing bill in order to avoid further complicating an already complicated debate.
Interestingly, the data sharing bill will go into law with no regulatory provisions requiring companies to share threat intelligence. Tom Bossert, a former deputy assistant to the president on homeland security, explained that there may be punitive regulations added to the law at a later time, should the bill become law. However, he claims the real strength of the legislation will be its ability to incentivize companies to share threat data and avoid negligence litigation as a result.
There is a growing consensus that information sharing seems like a no-brainer, Brossard said. He added that threat sharing’s value proposition is that it’s for the common good of everyone. People are currently sharing threat data without any real promise for rewards. These bills, he said, will create a kind of cyber-negligence liability. Private litigation is going to happen when the government or private companies fail to act on information from data sharing collectives. This reality, he said, is more likely to provide teeth for the draft bill than any future regulations added in after the fact.
Sarah Beth Groshart, a former Capitol Hill staffer and current government affairs expert at the Information Technology Industry (ITI) Council, believes the bill is likely to pass because ITI members played a significant role in shaping it. The ITI boasts members such as Apple, Adobe, Facebook, HP, Yahoo and a bevy of big, brand name technology companies. The 59 ITI member companies are endorsing the bill, according to Groshart, in large part because of its strong data minimization and public-to-private and private-to-private privacy protections.
To that end, the panel’s moderator, David Colberg, the director of government affairs at EMC Corporation, explained that part of the bill’s strength stems from a substantial effort on the part of Congress and the White House to bring businesses into the discussion about building an information sharing law.
Gillis of Palo Alto Networks said that nearly everyone has always agreed that information sharing is a good thing. The good news, he explained in the panel discussion, is that the information sharing debate has become much more sophisticated now. An example of that sophistication emerged when the government managed to ensure that government sponsored threat intelligence sharing would not violate antitrust laws. If the bill passes and aims to be an effective law, Gillis said, it needs to do no harm. It can’t hurt existing intelligence relationships, it can’t violate privacy and it can’t weaken the existing state laws which it will preempt.
Deborah Gill of Sony – also a former Capitol Hill staffer – argued that the Department of Homeland Security is prepared to run the threat sharing platform, known as the National Cybersecurity and Communications Integration Center (NCCIC). She went on to explain that once the private sector sees the DHS using NCCIC to declassify and pump out anonymized threat data, it will follow suit.
The panel agreed that threat sharing needs to be carried out by a civilian agency. However, Corcoran of Zurich Insurance Group explained that the private sector needs the government to facilitate information sharing. He said that there are plenty of private companies and groups thereof doing a lot of interesting things with information sharing. But, he said, these groups do not have the capabilities or the information that the National Security Agency has. The DHS has the capacity to be the point-man between private firms and the national security and intelligence communities.
It’s not clear at this point exactly what an information sharing law would look like, but you can read each of the draft bills, the National Cybersecurity Protection Advancement Act of 2015 [PDF] and the amendment to the Homeland Security Act of 2002 to enhance multidirectional sharing of information related to cybersecurity risks [PDF], on the House of Representatives’ website.
