The House made it two-for-two Thursday by passing another cyber information sharing bill.
Lawmakers overwhelmingly supported the National Cybersecurity Protection Advancement Act (H.R. 1731) by a vote of 355-63. The passage of this bill followed Wednesday’s approval of the Protecting Cyber Networks Act (H.R. 1560) by a similar vote of 307-116.
With the passage by the House and at least initial support from the White House, these two bills are closer to becoming law than any previous attempts to improve public-private cyber information sharing.
“It has taken some time for lawmakers to understand the magnitude and consequences that potentially are at risk,” said Bob Dix, the vice president of government affairs and critical infrastructure protection for Juniper Networks. “It has become a more significant risk factor that has continued to grow and evolve, and as a result of some of the high profile breaches we’ve seen, it’s drawn greater attention for lawmakers, for the administration, for leaders in state and local governments, and for CEOs and other executives in the private sector across a wide range of industries. That’s all a positive thing. Now we are at a tipping point, where leadership in Congress and leadership in the administration are coming together, which is not happening every day here in Washington on issues. It’s a great step forward, but we have to remind folks, and that will be part of our mission in industry, that the job isn’t done. These are good first steps, but there is more work to do.”
The House has passed information sharing bills previously, but none have received much attention or support from the Senate or the White House.
But Dix and others say the difference this time is how lawmakers from both sides of the aisle worked with industry and the administration to craft bills that are at least palatable, specifically around liability protections for the private sector and building off of the initial success of the cybersecurity framework being led by critical infrastructure providers with help from the National Institute of Standards and Technology.
“Removing the legal barriers for the voluntary sharing of cyber threats will help keep malicious nation states and cyber criminals out of our vital digital networks,” said Rep. Mike McCaul (R-Texas), sponsor of H.R. 1560, in a release. “This bipartisan, pro-privacy, pro-security bill has been three years and hundreds of stakeholder meetings in the making. I look forward to moving this landmark bill over to the Senate and getting it to the President’s desk as quickly as possible.”
Tom Kellermann, chief cybersecurity officer for Trend Micro, said both bills are proactive and forward leaning, and will empower a public-private partnership, which is something that has been lacking for some time.
“We have not been able to share information like the hackers have. The reasons why we continue to lose in cybersecurity is because the hacker community shares more information than the public and private sectors,” Kellermann said. “Both of these bills allow for a forum, a clearinghouse to be created at the NCCIC [National Cybersecurity and Communications Integration Center], and a capacity for private sector corporations to contribute to the U.S. government’s efforts to essentially civilize cyberspace.”
Pumping up the NCCIC
Both bills approved this week are trying to address similar problems.
The National Cybersecurity Protection Advancement Act, which the House approved Thursday, calls for the NCCIC within the Homeland Security Department to expand its coverage to tribal governments and be the lead federal civilian interface for multi-directional and cross-sector sharing of information related to cyber threat indicators, defensive measures, and cybersecurity risks for federal and non-federal entities.
It also gives industry liability protections to share cyber threat information with the government, which has been a major sticking point in previous bills.
H.R. 1731 would provide liability protections for companies to conduct network awareness, or share indicators or defensive measures. It also establishes a private “cause of action” that a person may bring against the federal government if a federal agency intentionally or willfully violates restrictions on the use and protection of voluntarily shared indicators or defensive measures.
Finally, the bill would exempt from antitrust laws non-federal entities that, for cybersecurity purposes, share cyber threat indicators or defensive measures, or assistance relating to the prevention, investigation, or mitigation of cybersecurity risks or incidents.
Better model needed
Dix said the NCCIC hasn’t lived up to its initial vision of five years ago, in part, because of the lack of integration and collaboration across critical infrastructure sectors.
“The architecture of creating a series of one-off agreements with stakeholders doesn’t scale. It’s not joint and integrated and it’s not cross-sector. While that may have served a purpose at the beginning, in the view of those at DHS, there has to be a recognition now that that model is insufficient to meet our national needs in a global environment,” Dix said. “One of the original plans was to have full integration with our international partners and allies as part of the operation of the NCCIC. While we’ve made progress, we are not full to the point of integrating state and local governments, tribal governments, international allies and a broad range of our private sector stakeholders, especially in the critical infrastructure community.”
view the original content and more from this author here : http://ift.tt/1Qr8Vop
from critical infrastructure alliance http://ift.tt/1Djtvww
via IFTTT
No comments:
Post a Comment