House Homeland Security on Obama Information Sharing Proposals
House Homeland Security Subcommittee on Cybersecurity,
Infrastructure Protection, and Security Technologies
“Industry Perspectives on the President’s Cybersecurity Information Sharing Proposal”
Wednesday, March 4, 2015
Key Topics & Takeaways
· Sharing with the Government: Rep. Clawson (R-Fla.) maintained his reservations that “the government coming in to help” may not be the best solution. Jenner & Block’s Callahan insisted that cooperation with the government is needed because companies are facing threats from foreign governments.
· FS-ISAC: Rep. Ratcliffe (R-Texas) asked how the president’s proposal would affect FS-ISAC, calling it one of the most developed ISACs and stressing that “we don’t want to break something that is working well.” FSSCC’s Garcia answered that the president’s proposal will help as long as the establishment of ISAOs does not lead to confusion or competition.
· Privacy Protection: Callahan said there are many policies in place at NCCIC to protect private information, with data minimization being the key element because it protects privacy and limits the information that government agencies must comb through. She said the privacy community supports the civilian control of information and noted that Department of Homeland Security has a subcommittee classified at the top secret level that includes privacy advocates.
Speakers
· Matthew Eggers, Senior Director, National Security and Emergency Preparedness, U.S. Chamber of Commerce
· Mary Ellen Callahan, Jenner & Block
· Greg Garcia, Executive Director, Financial Service Sector Coordinating Council
· Mark Libicki, RAND Corporation
Opening Statements
In his opening statement, Chairman John Ratcliffe (R-Texas) said any cyber threat information sharing legislation must preserve and enhance existing relationships within the private sector and with the federal government while protecting the privacy of consumer information. He noted that cyber threats are increasing in scale, intensity, and complexity, and that institutions of all sizes are at risk.
Ratcliffe said the National Cybersecurity and Communications Integration Center (NCCIC) has been at the forefront of working with the private sector to facilitate sharing, highlighting that it is a civilian cyber operations center with an embedded privacy office. As the lead civilian portal, he said NCCIC should be the focus of any legislation.
Testimony
Matthew Eggers, Senior Director, National Security and Emergency Preparedness, U.S. Chamber of Commerce, said in his testimony that the National Institute of Standards and Technology (NIST) Framework for cybersecurity is incomplete without legislation that removes barriers to information sharing. He said the Chamber supported the Cybersecurity Information Sharing Act (CISA) proposed last Congress because it gives companies legal assurances to make them more comfortable with sharing information by including protections for public disclosure and anti-trust matters while removing personal information from any shared data.
Eggers was more critical of S.456, the Cyber Threat Sharing Act, proposed by Sen. Thomas Carper (R-Del.), which he likened to President Obama’s own proposal. He said the Chamber would like more scrutiny on the Information Sharing and Analysis Organizations (ISAOs), and that the White House and Carper proposals failed to include anti-trust protections.
Mary Ellen Callahan, Jenner & Block, said in her testimony that there are six crucial factors to establishing private sector information sharing with the government: 1) development and implementation of legitimate privacy safeguards; 2) establishing clear controls on what the government does with shared information; 3) identifying and empowering a civilian interface with the private sector for all information sharing communications; 4) establishing the “value proposition” for information sharing, in which sharing is done at an acceptable cost and poses minimal risk for participants; 5) defining clear and objective limitations on liability for companies that share information; and 6) giving the Privacy and Civil Liberties Oversight Board authority over cybersecurity.
Greg Garcia, Executive Director, Financial Service Sector Coordinating Council, said in his testimony that effective information sharing and risk management means participating in “communities of trust” and the belief in the concept of strength in numbers. He said the financial services industry already participates in information sharing, including through NCCIC, but that the primary community of trust is the Financial Services Information Sharing and Analysis Center (FS-ISAC). Garcia explained that FS-ISAC works with government agencies and other ISACs to coordinate information as applicable.
Garcia said President Obama’s executive action on cybersecurity is a positive step. He expressed support for the creation of Information Sharing and Analysis Organizations (ISAOs) as a mechanism for all sectors to share information. While ISACs must retain their status as the primary critical infrastructure partners, he said the ISAOs can build on the strong foundation already in place. He stated that certain principles must be upheld in the structuring of the ISAOs: 1) sharing of sensitive information within and among communities of trust is most successful when operational standards of practice establish clear handling rules; 2) information sharing is not a competitive sport and operational standards should incentivize federated information sharing; 3) government internal processes for collecting, analyzing, and packaging information must be streamlined and transparent to maximize timeliness and accuracy; and 4) government information sharing mechanisms such as NCCIC should prioritize engagements with ISACs and ISAOs according to transparently established criteria.
Mark Libicki, RAND Corporation, said in his testimony that information sharing makes for a better cybersecurity defense, but voiced concerns that proposed legislation is a “point fix to a broad problem.” He said cybersecurity is very complex, that information sharing is not the only “runway,” and that the sharing model proposed is not the only model to consider. He offered three specific types of information sharing to consider: 1) sharing of software vulnerabilities; 2) sharing to improve cybersecurity practices; and 3) sharing of threat information, the current focus of legislation and executive action.
Question and Answer
Ratcliffe asked if the private sector supports the sharing of cyber threat indicators through civilian portals like NCCIC. Eggers responded that it does because businesses want to share with trusted partners. He added that the Chamber of Commerce wants to see a bill that gives companies the ability to voluntarily share threat indicators and that includes protections for sharing with government entities.
Rep. Curtis Clawson (R-Fla.) expressed doubt that private companies, especially multinationals, would buy into information sharing with the government because of their foreign stakeholders. He commented that if he were managing a major company, he would not want to share with any foreign government. Eggers countered that the sharing is completely voluntary. He added that the program is not about government surveillance, but about sharing relevant data business-to-business and business-to-government. Garcia said the financial services sector has “gotten over the hurdle” of the idea of sharing with competitors, and that he hopes other sectors will become more comfortable with the idea.
Clawson maintained his reservations that “the government coming in to help” may not be the best solution. Callahan insisted that cooperation with the government is needed because companies are facing threats from foreign governments.
Ratcliffe asked what kinds of measures are in place at NCCIC to ensure that private information is not shared with the government. Callahan said there are many policies in place, with data minimization being the key element because it protects privacy and also limits the information that government agencies must then comb through. She said the privacy community supports the civilian control of information and that Department of Homeland Security (DHS) has a subcommittee classified at the top secret level that includes privacy advocates.
Ratcliffe asked how the president’s proposal would affect FS-ISAC, calling it one of the most developed ISACs and stressing that “we don’t want to break something that is working well.” Garcia answered that the president’s proposal will help as long as the establishment of ISAOs does not lead to confusion or competition.
Liability Protection
Ratcliffe asked what kinds of liability protections are necessary in information sharing legislation. Eggers said protections can be broken into four categories: 1) liability protections for sharing with the private sector and government; 2) regulatory protection; 3) exemptions from the Freedom of Information Act; and 4) anti-trust protections. He commented that the liability protections are the most important.
For more information on this hearing, please click here.
,Blog Tags:,Blog Categories:,Blog TrackBack:,Blog Pingback:No,Hearing Summaries Issues:Technology/High Frequency Trading,Hearing Summaries Agency:Special Event,Publish Year:2015
House Homeland Security Subcommittee on Cybersecurity,
Infrastructure Protection, and Security Technologies
“Industry Perspectives on the President’s Cybersecurity Information Sharing Proposal”
Wednesday, March 4, 2015
Key Topics & Takeaways
· Sharing with the Government: Rep. Clawson (R-Fla.) maintained his reservations that “the government coming in to help” may not be the best solution. Jenner & Block’s Callahan insisted that cooperation with the government is needed because companies are facing threats from foreign governments.
· FS-ISAC: Rep. Ratcliffe (R-Texas) asked how the president’s proposal would affect FS-ISAC, calling it one of the most developed ISACs and stressing that “we don’t want to break something that is working well.” FSSCC’s Garcia answered that the president’s proposal will help as long as the establishment of ISAOs does not lead to confusion or competition.
· Privacy Protection: Callahan said there are many policies in place at NCCIC to protect private information, with data minimization being the key element because it protects privacy and limits the information that government agencies must comb through. She said the privacy community supports the civilian control of information and noted that Department of Homeland Security has a subcommittee classified at the top secret level that includes privacy advocates.
Speakers
· Matthew Eggers, Senior Director, National Security and Emergency Preparedness, U.S. Chamber of Commerce
· Mary Ellen Callahan, Jenner & Block
· Greg Garcia, Executive Director, Financial Service Sector Coordinating Council
· Mark Libicki, RAND Corporation
Opening Statements
In his opening statement, Chairman John Ratcliffe (R-Texas) said any cyber threat information sharing legislation must preserve and enhance existing relationships within the private sector and with the federal government while protecting the privacy of consumer information. He noted that cyber threats are increasing in scale, intensity, and complexity, and that institutions of all sizes are at risk.
Ratcliffe said the National Cybersecurity and Communications Integration Center (NCCIC) has been at the forefront of working with the private sector to facilitate sharing, highlighting that it is a civilian cyber operations center with an embedded privacy office. As the lead civilian portal, he said NCCIC should be the focus of any legislation.
Testimony
Matthew Eggers, Senior Director, National Security and Emergency Preparedness, U.S. Chamber of Commerce, said in his testimony that the National Institute of Standards and Technology (NIST) Framework for cybersecurity is incomplete without legislation that removes barriers to information sharing. He said the Chamber supported the Cybersecurity Information Sharing Act (CISA) proposed last Congress because it gives companies legal assurances to make them more comfortable with sharing information by including protections for public disclosure and anti-trust matters while removing personal information from any shared data.
Eggers was more critical of S.456, the Cyber Threat Sharing Act, proposed by Sen. Thomas Carper (R-Del.), which he likened to President Obama’s own proposal. He said the Chamber would like more scrutiny on the Information Sharing and Analysis Organizations (ISAOs), and that the White House and Carper proposals failed to include anti-trust protections.
Mary Ellen Callahan, Jenner & Block, said in her testimony that there are six crucial factors to establishing private sector information sharing with the government: 1) development and implementation of legitimate privacy safeguards; 2) establishing clear controls on what the government does with shared information; 3) identifying and empowering a civilian interface with the private sector for all information sharing communications; 4) establishing the “value proposition” for information sharing, in which sharing is done at an acceptable cost and poses minimal risk for participants; 5) defining clear and objective limitations on liability for companies that share information; and 6) giving the Privacy and Civil Liberties Oversight Board authority over cybersecurity.
Greg Garcia, Executive Director, Financial Service Sector Coordinating Council, said in his testimony that effective information sharing and risk management means participating in “communities of trust” and the belief in the concept of strength in numbers. He said the financial services industry already participates in information sharing, including through NCCIC, but that the primary community of trust is the Financial Services Information Sharing and Analysis Center (FS-ISAC). Garcia explained that FS-ISAC works with government agencies and other ISACs to coordinate information as applicable.
Garcia said President Obama’s executive action on cybersecurity is a positive step. He expressed support for the creation of Information Sharing and Analysis Organizations (ISAOs) as a mechanism for all sectors to share information. While ISACs must retain their status as the primary critical infrastructure partners, he said the ISAOs can build on the strong foundation already in place. He stated that certain principles must be upheld in the structuring of the ISAOs: 1) sharing of sensitive information within and among communities of trust is most successful when operational standards of practice establish clear handling rules; 2) information sharing is not a competitive sport and operational standards should incentivize federated information sharing; 3) government internal processes for collecting, analyzing, and packaging information must be streamlined and transparent to maximize timeliness and accuracy; and 4) government information sharing mechanisms such as NCCIC should prioritize engagements with ISACs and ISAOs according to transparently established criteria.
Mark Libicki, RAND Corporation, said in his testimony that information sharing makes for a better cybersecurity defense, but voiced concerns that proposed legislation is a “point fix to a broad problem.” He said cybersecurity is very complex, that information sharing is not the only “runway,” and that the sharing model proposed is not the only model to consider. He offered three specific types of information sharing to consider: 1) sharing of software vulnerabilities; 2) sharing to improve cybersecurity practices; and 3) sharing of threat information, the current focus of legislation and executive action.
Question and Answer
Ratcliffe asked if the private sector supports the sharing of cyber threat indicators through civilian portals like NCCIC. Eggers responded that it does because businesses want to share with trusted partners. He added that the Chamber of Commerce wants to see a bill that gives companies the ability to voluntarily share threat indicators and that includes protections for sharing with government entities.
Rep. Curtis Clawson (R-Fla.) expressed doubt that private companies, especially multinationals, would buy into information sharing with the government because of their foreign stakeholders. He commented that if he were managing a major company, he would not want to share with any foreign government. Eggers countered that the sharing is completely voluntary. He added that the program is not about government surveillance, but about sharing relevant data business-to-business and business-to-government. Garcia said the financial services sector has “gotten over the hurdle” of the idea of sharing with competitors, and that he hopes other sectors will become more comfortable with the idea.
Clawson maintained his reservations that “the government coming in to help” may not be the best solution. Callahan insisted that cooperation with the government is needed because companies are facing threats from foreign governments.
Ratcliffe asked what kinds of measures are in place at NCCIC to ensure that private information is not shared with the government. Callahan said there are many policies in place, with data minimization being the key element because it protects privacy and also limits the information that government agencies must then comb through. She said the privacy community supports the civilian control of information and that Department of Homeland Security (DHS) has a subcommittee classified at the top secret level that includes privacy advocates.
Ratcliffe asked how the president’s proposal would affect FS-ISAC, calling it one of the most developed ISACs and stressing that “we don’t want to break something that is working well.” Garcia answered that the president’s proposal will help as long as the establishment of ISAOs does not lead to confusion or competition.
Liability Protection
Ratcliffe asked what kinds of liability protections are necessary in information sharing legislation. Eggers said protections can be broken into four categories: 1) liability protections for sharing with the private sector and government; 2) regulatory protection; 3) exemptions from the Freedom of Information Act; and 4) anti-trust protections. He commented that the liability protections are the most important.
For more information on this hearing, please click here.