Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Building the Hybrid Cloud
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal Tech Talk
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- The New Generation of Database
- Satellite Communications: Acquiring SATCOM in Tight Times
- Targeting Advanced Threats: Proven Methods from Detection through Remediation
- Transformative Technology: Desktop Virtualization in Government
- The Truth About IT Opex and Software Defined Networking
- Value of Health IT
Shows & Panels
Lawmakers model latest cyber bill after DoD information sharing pilot
Wednesday - 4/11/2012, 5:09am EDT
The Cyber Intelligence Sharing and Protection Act of 2011 is designed to make it easier for the government to share classified intelligence information about cyber dangers with the private sector.
The bill, H.R. 3523, also would encourage a voluntary approach for companies to share IT security information back to the government.
U.S. Rep. Dutch Ruppersberger (D-Md.) presiding over the House of Representatives as Speaker Pro Tempore on Jan. 16, 2007.
The Cyber Intelligence Sharing and Protection Act build off of the Defense Industrial Base (DIB) pilot. DoD launched the test in August with 37 vendors with a goal of sharing threat signatures, or information, about potential cyber attacks.
DoD has transferred the program to the Homeland Security Department with an eye toward expanding the program to more than 200 companies over the next year.
"We are seeing a number of areas just based on data collections from those companies that we are getting information on threats we would not have seen otherwise, and they are getting information from each other as well as from us about what the threats are and what the mitigation could be," said Teri Takai, DoD chief information officer, at a recent House Armed Services hearing. "That complements well the DIB pilot process which was focused around the Internet Service Providers and being able to take the information sharing and moving it to the protection piece."
DIB pilot to expand
DoD will expand the program when an interim rule is completed. DoD currently is reviewing comments on the DIB proposed rule.
Gen. Keith Alexander, commander of the U.S. Cyber Command, told lawmakers last month that it's that type of information sharing that is most important to protecting agencies and the nation against cyber attacks.
Gen. Keith Alexander, commander of the U.S. Cyber Command (AP photo)
What Ruppersberger and Rep. Mike Rogers (R-Mich.), chairman of the Intelligence Committee and co-author of the bill, are doing is taking the concepts from the DIB pilot and putting it into law.
Their bill also would update a 1947 bill that limits how classified information is shared.
"This was a year in the making and included hundreds of meetings to try to put something together that dealt with the very serious challenge of nation state actors both planning for cyber disruption attacks against the U.S. and our allies as well as a nation state focused effort to steal property for the sole purpose of harming the economy," Rogers said.
The 13-page legislation requires the Director of National Intelligence to create a process to share classified cyber data with properly cleared private sector individuals.
The only information that can be shared both ways is cyber or national threat information, which is a key point of the bill.
Protecting privacy and civil liberties are a major focus in the bill
Rogers said the bill keeps the protection of privacy and civil liberties on the front burner.
"The bill authorizes the private sector to anonymize or minimize the cyber threat information it voluntary shares," he said. "Those companies can make that determination what they think they minimally need to share in order to solve their problems. We think that is also very limiting and encouraging to folks who are concerned about civil liberties protections. There are very strong limitations on the government's use of this information. It must be protected from disclosure outside the government. The government may not search the cyber threat information for non-cyber or national threats information."
Rep. Mike Rogers (D-Mich.) (AP)
Rogers and Ruppersberger said the intelligence community inspector general will review annually how government handles and protects the cyber threat information and will make recommendations to improve upon it.
Ruppersberger added the committee is considering another provision to give the Homeland Security Department a larger role in working with the private sector.
"We are communicating with the White House on a regular basis and they have some issues they want us to work on," he said.
Roger said they also are writing language that would require DHS to receive copies of the voluntary received cyber threat information and clarify the department's role in sharing information with other federal entities.
"The bill would make clear it would grant no new authority to DoD or the intelligence community to require or direct any public or private cyber efforts," Rogers said.
Dozens of cyber bills competing for time
The Rogers-Ruppersberger bill becomes the latest one of more than 30 to try to address the growing threat of cyber attacks.
Their bill most closely resembles the legislation introduced by Sen. John McCain (R-Ariz.) in March. His bill would take a "hands off" approach to oversight of critical infrastructure protection.
Another bill, from Rep. Dan Lungren (R-Calif.), would create a public-private sharing non-profits.
And finally, the leading cyber bill, introduced by Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine), Jay Rockefeller (D-W.Va.) and Diane Feinstein (D-Calif.), would take yet another approach. It would give DHS the role of convener to create with industry minimal cyber standards that the companies would either self-certify or have a third-party independently validate their controls.
House and Senate leaders have pledged to bring up the cyber bill as soon as possible, but no specific date or timeframe has been publicly discussed.