Senate Intelligence Committee finalizing version of cyber sharing bill

Wednesday - 10/9/2013, 6:24am EDT

Jared Serbu reports.

Download mp3

The top Republican and top Democrat on the Senate Intelligence Committee are nearing agreement on a cybersecurity bill designed to bolster the sharing of minute-to-minute cyber threat information amongst private sector companies and with the government.

Sen. Saxby Chambliss (R-Ga.), the vice chairman of the intelligence committee, said he and Sen. Diane Feinstein (D-Calif.), the committee chairwoman, still have some minor differences of opinion to work out, but he's optimistic that the Senate can join with its House colleagues and move forward with an information sharing bill by the end of 2013, and before Congress moves into another election year.

"We're very close to having a cybersecurity bill," he told a cyber conference hosted by Politico Tuesday in Washington. "Had we not been interrupted by the NSA revelations by Edward Snowden and the need for [Foreign Intelligence Surveillance Act] reform, we probably would have already been there by now, because that was next on our plate."

Chambliss said there's broad agreement that the legislation needs to incentivize private sector companies to share information on any malicious code their firms encounter, both by providing them with liability protections that would shield them from lawsuits that could otherwise follow from sharing information with competitors or with the government, and by convincing them that federal agencies are capable of securely communicating threat information between the private and public sectors.

He said that information exchange mostly would happen through a portal operated by a civilian agency, most likely the Department of Homeland Security.

"Cyber information will go into that portal and be shared in real-time, and I emphasize real-time," he said. "If it's nearly-real-time, then we're behind the curve. Once we get to that point, the issue becomes purely a matter of what countermeasures are implemented and who dictates that, and when the liability kicks in. We're pretty close to agreeing on that, but we're not quite there yet."

Mirror image

Chambliss said he and Feinstein have been developing their bill in close consultation over the past year with Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.), their counterparts on the lower chamber's Intelligence Committee.

"So if we can get something done on the Senate side, we think we can come together and bridge our differences in philosophy between the House side," he said.

According to Chambliss' description, the Senate proposal would largely mirror the current version of Rogers and Ruppersberger's legislation, the Cyber Intelligence Sharing and Protection Act (CISPA). The House passed an earlier version of the legislation in the spring, but it provoked a White House veto threat.

The Obama administration said it strongly supported the goal of public and private sector information sharing, but it quarreled with provisions that would have made the National Security Agency the hub for the exchange of data. Later amendments to the bill made DHS the center of activity instead.

The White House also said Congress wanted to give companies more of a blank check from legal liabilities than they actually needed.

There's also disagreement over the concept of "minimization." All parties agree that any information that's shared should be scrubbed so that it doesn't contain personally identifiable information about Americans. The White House's stance has been that companies should have at least some responsibility to remove personal information before they send it to each other or to the government.

DHS in charge of sharing

But Rogers believes any law that puts the onus on the private sector would impede participation in the program. Large firms who have the technical capacity and capability to handle minimization will do so, he said.

"But the other ones that can't do it won't do it. And that means they won't share, and that means a vulnerability in our system," Rogers said. "But then it's going to go to the government anyway, which is already required by law to minimize. Who can do that better than anyone? It's the NSA. They do it, we watch them like a hawk, and we kick them when we think they're not doing it. My argument is we should have the best filter for [personally-identifiable information], and it should not be run at the expense of businesses, because defending the country should be all of our expense. And we'll get more participation."

The current version of CISPA would put DHS in charge of the information sharing program rather than the NSA. The change came about via an amendment by Rep. Michael McCaul (R-Texas), the chairman of the Homeland Security Committee, who also is working on his own bill to give DHS the lead role in a comprehensive public-private information sharing program.