House Homeland Security Hearing on Obama Information Sharing Proposal
House Homeland Security Committee
“Examining the President’s Cybersecurity Information Sharing Proposals”
Wednesday, February 25, 2015
Key Topics & Takeaways
- Relationships Between Agencies: Spaulding said she welcomes the establishment of the Cyber Threat Intelligence Integration Center (CTIIC) because it will pull together intelligence from 16 intelligence agencies. She said part of CTIIC’s explicit mission will be to support the National Cybersecurity and Communications Integration Center (NCCIC), while NCCIC will be interacting on a daily basis with the public and private sector.
- Liability Protection: Spaulding answered that the President’s proposal would apply not only to sharing with NCCIC, but with private sector sharing as well. She said the legislation would let the private sector share within itself while enjoying the same liability protections.
- Sharing Practices: Hurd asked how the Department of Homeland Security (DHS) would address the classification of threat information before pushing it down to the private sector. Spaulding said DHS has implemented an enhanced cybersecurity services program to work with private cybersecurity providers, and information could be shared with them rather than having to clear all the private sector entities they work with.
- DHS Funding: Spaulding warned that a funding hiatus would have impacts on the DHS cyber mission, especially by delaying the deployment of civilian programs that detect and block threats. She warned that cyber adversaries “are not taking a break.”
Speakers
- Suzanne Spaulding, Under Secretary, National Protection and Programs Directorate, Department of Homeland Security
- Dr. Phyllis Schneck, Deputy Under Secretary, Cybersecurity and Communications, Department of Homeland Security
- Eric Fischer, Senior Specialist, Science and Technology, Congressional Research Service
Opening Statements
In his opening statement, Chairman Michael McCaul (R-Texas) spoke about the significant risks posed by cybersecurity threats targeting both the government and private sector. He warned that laws are not keeping up with the threat. He specifically commented that many companies do not want to share information of threats in their own networks, leaving others open to the same vulnerabilities, because they fear legal liability.
McCaul called on Congress to take action and not leave American businesses to fend for themselves by creating a safe harbor where legal barriers to information sharing are removed, allowing the U.S. to respond to threats more quickly and effectively. He said he was pleased President Obama has come forward with a proposal for information sharing, and that the solution to this issue must transcend partisan boundaries.
In his opening statement, Ranking Member Bennie Thompson (D-Miss.) said cybersecurity at its core relies on effective information sharing. He touted the Committee’s work to propose bipartisan legislation last year that was signed into law, and commended President Obama’s proposal for again spurring debate.
Going forward, Thompson said Congress has several questions to consider: 1) What kind of information is being shared? 2) Who is doing the sharing? and 3) Where is the sharing happening?
Suzanne Spaulding, Under Secretary, National Protection and Programs Directorate, Department of Homeland Security (DHS), said in her testimony said she is very grateful to Congress for working on cybersecurity legislation and stressed the need to keep moving forward on a bill to facilitate information sharing. She said there is a growing need to increase the volume and speed of sharing without compromising the trust of the American people.
Spaulding said the President’s proposal allows companies to share through the National Cybersecurity and Communications Integration Center (NCCIC), which brings together public and private sector partners and works as a single designated point of entry for information being shared with the government. She said NCCIC reduces complexity for the private sector and standardizes information.
Dr. Phyllis Schneck, Deputy Under Secretary, Cybersecurity and Communications, Department of Homeland Security, said in her testimony that NCCIC is at the forefront of the President’s proposal. She explained that the proposal narrowly defines the kind of information to be shared and further focuses on encouraging sharing and the effectiveness of private sharing organizations.
Schneck said DHS is already sharing in real time, providing information to private companies and maintaining “scientific partnerships” with the private sector. She commented that DHS needs to “up its game” by using machine speed to understand what is happening around the world. She said there is a need to pull automated cyber threat indicators together in partnership, further linking DHS with the private sector, Federal Bureau of Investigation (FBI), and the rest of the intelligence community.
Eric Fischer, Senior Specialist, Science and Technology, Congressional Research Service, said in his testimony that the key challenge in any legislation is achieving the balance between sharing information and avoiding adverse impacts. He highlighted five questions that must be asked going forward: 1) What are the kinds of barriers that exist to information sharing? 2) How should information sharing be structured to be most effective? 3) What are the risks to privacy rights and civil liberties? 4) What statutory protections against liability are needed? and 5) What improvements to current standards and practices are needed to ensure that information sharing is efficient and effective?
Question and Answer
Relationships Between Agencies
McCaul said DHS is the ideal place for a safe harbor and should be the “lead portal” as the civilian interface for the private sector. He asked about how to integrate other portals such as the Treasury Department and the National Security Agency (NSA). Spaulding said the President’s proposal is narrowly focused on network defense and only covers cyber threat indicator information. She stressed that it is not intended to change relationships between the private sector and other parts of the federal government, and that firms should still be able to call any other agencies they are comfortable with.
Schneck said DHS is working with its peers at a technical level to ensure that information is handled and distributed properly to other agencies and the private sector, and that it is important that all information can be seen together.
Rep. Sheila Jackson Lee (D-Texas) asked about the difference between NCCIC and the Cyber Threat Intelligence Integration Center (CTIIC) announced by the President, and how the public would distinguish between them. Spaulding said she welcomes the establishment of CTIIC because it will pull together intelligence from 16 intelligence agencies. She said part of CTIIC’s explicit mission will be to support NCCIC, while NCCIC will be interacting on a daily basis with the public and private sector.
Rep. Bonnie Watson Coleman (D-N.J.) asked if there is any guarantee that the CTIIC will not “wander out” and become the face of interaction with the private sector and infringe on NCCIC. Spaulding said CTIIC’s role is very clearly defined, and that it will be limited to helping sharing within the government.
Rep. John Ratcliffe (R-Texas) said it is important that people share information regardless of what agency it goes to. Spaulding agreed, saying she does not want to see existing relationships between agencies and private companies disrupted. She stressed that she simply wants to have all information collected in one place to ensure that it can then be sent to everyone who needs it and that it includes privacy protections.
McCaul said liability protection “is a bone of contention” but essential to incentivizing private sector participation. He said his conversations with businesses have indicated that they remain concerned about sharing within the private sector. Spaulding answered that the President’s proposal would apply not only to sharing with NCCIC, but with private sector sharing as well. She said the legislation would let the private sector share within itself while enjoying the same liability protections.
Rep. Curtis Clawson (R-Fla.) commented that multinational companies with employees and stakeholders around the world have a complicated situation and find it hard to explain sharing data with the U.S. government because of privacy concerns. He said proposals so far do not seem like a compelling case to take to such businesses. Spaulding said there is a wide range of legitimate reasons for companies to have concerns about sharing with the government, but that with the President’s proposal, “the devil is in the details.” She explained that as DHS moves towards automated information sharing, there will be total transparency about the information being shared. She said this information will be very technical and not sensitive.
Clawson commented that without more details, any private sector chief executive officer would be negligent to go along with the sharing program on the basis of trust. Schneck responded that DHS will have to work to earn companies’ trust, and can start by letting them benefit from the data it shares itself.
McCaul noted that the proposal is for a voluntary sharing system, and the liability protections will have to be provided so that companies can fully participate.
Thompson asked how a suspension of funding for DHS would affect cyber defenses. Spaulding warned that a funding hiatus would have impacts on its cyber mission, especially by delaying the deployment of civilian programs that detect and block threats. She warned that cyber adversaries “are not taking a break.”
Jackson Lee asked if a lack of funding would “put us in jeopardy.” Spaulding said the U.S. is under “daily, moment-by-moment efforts” by adversaries to infiltrate the public and private sector. Because there is no slowdown in their efforts, she said, anything that hamper DHS creates risks for the nation.
Rep. Will Hurd (R-Texas) said there are lots of structural issues to information sharing between government agencies, but that attacks of the magnitude being faced today show the importance of timely information. Schneck said DHS is depending on real-time sharing and machines that can operate and process information quickly so that large sets of data can be provided to all.
Hurd asked how DHS would address the classification of threat information before pushing it down to the private sector. Spaulding said DHS has implemented an enhanced cybersecurity services program to work with private cybersecurity providers, and information could be shared with them rather than having to clear all the private sector entities they work with.
Ratcliffe asked what processes the NCCIC uses to protect privacy. Schneck replied that she works “every step of the way” with the DHS privacy office, and that part of the reason the system is taking months to build is so that privacy concerns can be properly addressed.
For more information on this hearing, please click here.
,Blog Tags:,Blog Categories:,Blog TrackBack:,Blog Pingback:No,Hearing Summaries Issues:Technology/High Frequency Trading,Hearing Summaries Agency:Special Event,Publish Year:2015
House Homeland Security Committee
“Examining the President’s Cybersecurity Information Sharing Proposals”
Wednesday, February 25, 2015
Key Topics & Takeaways
- Relationships Between Agencies: Spaulding said she welcomes the establishment of the Cyber Threat Intelligence Integration Center (CTIIC) because it will pull together intelligence from 16 intelligence agencies. She said part of CTIIC’s explicit mission will be to support the National Cybersecurity and Communications Integration Center (NCCIC), while NCCIC will be interacting on a daily basis with the public and private sector.
- Liability Protection: Spaulding answered that the President’s proposal would apply not only to sharing with NCCIC, but with private sector sharing as well. She said the legislation would let the private sector share within itself while enjoying the same liability protections.
- Sharing Practices: Hurd asked how the Department of Homeland Security (DHS) would address the classification of threat information before pushing it down to the private sector. Spaulding said DHS has implemented an enhanced cybersecurity services program to work with private cybersecurity providers, and information could be shared with them rather than having to clear all the private sector entities they work with.
- DHS Funding: Spaulding warned that a funding hiatus would have impacts on the DHS cyber mission, especially by delaying the deployment of civilian programs that detect and block threats. She warned that cyber adversaries “are not taking a break.”
Speakers
- Suzanne Spaulding, Under Secretary, National Protection and Programs Directorate, Department of Homeland Security
- Dr. Phyllis Schneck, Deputy Under Secretary, Cybersecurity and Communications, Department of Homeland Security
- Eric Fischer, Senior Specialist, Science and Technology, Congressional Research Service
Opening Statements
In his opening statement, Chairman Michael McCaul (R-Texas) spoke about the significant risks posed by cybersecurity threats targeting both the government and private sector. He warned that laws are not keeping up with the threat. He specifically commented that many companies do not want to share information of threats in their own networks, leaving others open to the same vulnerabilities, because they fear legal liability.
McCaul called on Congress to take action and not leave American businesses to fend for themselves by creating a safe harbor where legal barriers to information sharing are removed, allowing the U.S. to respond to threats more quickly and effectively. He said he was pleased President Obama has come forward with a proposal for information sharing, and that the solution to this issue must transcend partisan boundaries.
In his opening statement, Ranking Member Bennie Thompson (D-Miss.) said cybersecurity at its core relies on effective information sharing. He touted the Committee’s work to propose bipartisan legislation last year that was signed into law, and commended President Obama’s proposal for again spurring debate.
Going forward, Thompson said Congress has several questions to consider: 1) What kind of information is being shared? 2) Who is doing the sharing? and 3) Where is the sharing happening?
Suzanne Spaulding, Under Secretary, National Protection and Programs Directorate, Department of Homeland Security (DHS), said in her testimony said she is very grateful to Congress for working on cybersecurity legislation and stressed the need to keep moving forward on a bill to facilitate information sharing. She said there is a growing need to increase the volume and speed of sharing without compromising the trust of the American people.
Spaulding said the President’s proposal allows companies to share through the National Cybersecurity and Communications Integration Center (NCCIC), which brings together public and private sector partners and works as a single designated point of entry for information being shared with the government. She said NCCIC reduces complexity for the private sector and standardizes information.
Dr. Phyllis Schneck, Deputy Under Secretary, Cybersecurity and Communications, Department of Homeland Security, said in her testimony that NCCIC is at the forefront of the President’s proposal. She explained that the proposal narrowly defines the kind of information to be shared and further focuses on encouraging sharing and the effectiveness of private sharing organizations.
Schneck said DHS is already sharing in real time, providing information to private companies and maintaining “scientific partnerships” with the private sector. She commented that DHS needs to “up its game” by using machine speed to understand what is happening around the world. She said there is a need to pull automated cyber threat indicators together in partnership, further linking DHS with the private sector, Federal Bureau of Investigation (FBI), and the rest of the intelligence community.
Eric Fischer, Senior Specialist, Science and Technology, Congressional Research Service, said in his testimony that the key challenge in any legislation is achieving the balance between sharing information and avoiding adverse impacts. He highlighted five questions that must be asked going forward: 1) What are the kinds of barriers that exist to information sharing? 2) How should information sharing be structured to be most effective? 3) What are the risks to privacy rights and civil liberties? 4) What statutory protections against liability are needed? and 5) What improvements to current standards and practices are needed to ensure that information sharing is efficient and effective?
Question and Answer
Relationships Between Agencies
McCaul said DHS is the ideal place for a safe harbor and should be the “lead portal” as the civilian interface for the private sector. He asked about how to integrate other portals such as the Treasury Department and the National Security Agency (NSA). Spaulding said the President’s proposal is narrowly focused on network defense and only covers cyber threat indicator information. She stressed that it is not intended to change relationships between the private sector and other parts of the federal government, and that firms should still be able to call any other agencies they are comfortable with.
Schneck said DHS is working with its peers at a technical level to ensure that information is handled and distributed properly to other agencies and the private sector, and that it is important that all information can be seen together.
Rep. Sheila Jackson Lee (D-Texas) asked about the difference between NCCIC and the Cyber Threat Intelligence Integration Center (CTIIC) announced by the President, and how the public would distinguish between them. Spaulding said she welcomes the establishment of CTIIC because it will pull together intelligence from 16 intelligence agencies. She said part of CTIIC’s explicit mission will be to support NCCIC, while NCCIC will be interacting on a daily basis with the public and private sector.
Rep. Bonnie Watson Coleman (D-N.J.) asked if there is any guarantee that the CTIIC will not “wander out” and become the face of interaction with the private sector and infringe on NCCIC. Spaulding said CTIIC’s role is very clearly defined, and that it will be limited to helping sharing within the government.
Rep. John Ratcliffe (R-Texas) said it is important that people share information regardless of what agency it goes to. Spaulding agreed, saying she does not want to see existing relationships between agencies and private companies disrupted. She stressed that she simply wants to have all information collected in one place to ensure that it can then be sent to everyone who needs it and that it includes privacy protections.
McCaul said liability protection “is a bone of contention” but essential to incentivizing private sector participation. He said his conversations with businesses have indicated that they remain concerned about sharing within the private sector. Spaulding answered that the President’s proposal would apply not only to sharing with NCCIC, but with private sector sharing as well. She said the legislation would let the private sector share within itself while enjoying the same liability protections.
Rep. Curtis Clawson (R-Fla.) commented that multinational companies with employees and stakeholders around the world have a complicated situation and find it hard to explain sharing data with the U.S. government because of privacy concerns. He said proposals so far do not seem like a compelling case to take to such businesses. Spaulding said there is a wide range of legitimate reasons for companies to have concerns about sharing with the government, but that with the President’s proposal, “the devil is in the details.” She explained that as DHS moves towards automated information sharing, there will be total transparency about the information being shared. She said this information will be very technical and not sensitive.
Clawson commented that without more details, any private sector chief executive officer would be negligent to go along with the sharing program on the basis of trust. Schneck responded that DHS will have to work to earn companies’ trust, and can start by letting them benefit from the data it shares itself.
McCaul noted that the proposal is for a voluntary sharing system, and the liability protections will have to be provided so that companies can fully participate.
Thompson asked how a suspension of funding for DHS would affect cyber defenses. Spaulding warned that a funding hiatus would have impacts on its cyber mission, especially by delaying the deployment of civilian programs that detect and block threats. She warned that cyber adversaries “are not taking a break.”
Jackson Lee asked if a lack of funding would “put us in jeopardy.” Spaulding said the U.S. is under “daily, moment-by-moment efforts” by adversaries to infiltrate the public and private sector. Because there is no slowdown in their efforts, she said, anything that hamper DHS creates risks for the nation.
Rep. Will Hurd (R-Texas) said there are lots of structural issues to information sharing between government agencies, but that attacks of the magnitude being faced today show the importance of timely information. Schneck said DHS is depending on real-time sharing and machines that can operate and process information quickly so that large sets of data can be provided to all.
Hurd asked how DHS would address the classification of threat information before pushing it down to the private sector. Spaulding said DHS has implemented an enhanced cybersecurity services program to work with private cybersecurity providers, and information could be shared with them rather than having to clear all the private sector entities they work with.
Ratcliffe asked what processes the NCCIC uses to protect privacy. Schneck replied that she works “every step of the way” with the DHS privacy office, and that part of the reason the system is taking months to build is so that privacy concerns can be properly addressed.
For more information on this hearing, please click here.