The Senate passed the Cybersecurity Information Sharing Act (CISA) despite concern about privacy issues, but experts...
said there is still a chance those issues can be fixed, as CISA moves on to be reconciled with similar bills passed by the House of Representatives.
In April, the House passed two different cybersharing bills -- the Protecting Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement Act of 2015 (NCPAA). But the two bills were combined with the original PCNA becoming Title I and the NCPAA becoming Title II of H.R. 1560, Protecting Cyber Networks Act.
Ari Schwartz, current managing director of cybersecurity services for Baltimore-based Venable LLP and former White House senior director for cybersecurity, told SearchSecurity that the PCNA generally has better privacy and liability protections than CISA, especially in terms of what data is collected and what can be done with it.
"That's clearer in the House bill -- how those roles will be put into place, what [U.S. Department of Homeland Security] DHS' role is in minimizing that data," Scwartz said. "The Senate bill is less clear about that. The whole way that the Senate bill is structured is confusing as to what is allowed and what is not allowed, and leaves it up to the agencies to interpret what's allowed and what's not allowed."
Paul Kurtz, former cybersecurity advisor to the White House, and current co-founder and CEO of TruSTAR Technology LLC., based in Arlington, Va., said that all of the bills in question have raised privacy concerns, but the House's PCNA does have benefits over CISA.
"The House bills offer greater definition of the types of cyber incident information, which are useful to share in order to stem attacks and enable mitigation discussions between companies," Kurtz said. "The House bills are also seen as having stronger privacy provisions based on the how they define cyber incident data provisions regarding the removal of personally identifiable information."
Rebecca Herold, CEO of Privacy Professor, said a key to reconciliation will be incorporating privacy protections from PCNA into CISA to mitigate privacy issues.
"PCNA requires personal data to be removed if it is not necessary for analysis. It also allows a person to bring a private cause of action against the federal government if an agency intentionally or willfully violates privacy and civil liberties guidelines. The NCPPA requires that personal data is only used for cybersecurity purposes," Herold said. "Those are truly minimum protections, but still important and necessary."
Carson Sweet, CSO and chairman at San Francisco-based CloudPassage Inc., wasn't as optimistic that the reconciliation would lead to any "acceptable" cybersecurity legislation.
"There's very little in the House bills that I would consider 'pros' over CISA," Sweet said. "They both have softness around privacy protections, and there's still quite a bit of concern about both sets of bills containing language permitting commercial entities to release private information on individuals and claim ignorance of the fact. On the flip side of the coin, a lot of security providers (including federal contractors) have pretty deep concerns about how some of the language could be interpreted in ways that leave them liable for what otherwise would be them just doing their jobs."
Schwartz said he expects the reconciliation to happen sometime before February 2016, but did warn that the Senate and House have not spoken yet. And until there is a new Speaker of the House in place, it is difficult to predict how reconciliation will go.
"They haven't talked yet. I think it will depend a lot on how the House leadership shakes out," Schwartz said. "There's some question about what the Intelligence Committee is going to look like when there's new leadership in the House."
Herold agreed that action may not be taken until after the House leadership is sorted, but noted that the pressure to get something to the president may lead to CISA being pushed through as is.
"If the House decides they want to get this off their plate before the new Speaker steps in, with [Speaker John] Boehner wanting to continue 'cleaning the barn,'" Herold said, "he may push for the House to simply go with the Senate version to please those in both parties who are pushing for the cybersecurity bill."
In June, House Homeland Security Committee Chairman and sponsor of the NCPAA Michael McCaul, R-Texas, said that the Senate had major issues to deal with in order to get CISA to be passed by the House.
"My concern is that they have an NSA information-sharing component in there that I think would be problematic in many ways in the House," McCaul said. "I've warned them that if that kind of bill comes back, it's not going to pass -- and that's the political reality."
According to Schwartz, the version of CISA passed still includes the NSA information-sharing component, and he expects that to be a "huge problem" for CISA during reconciliation.
"The House version is very clear that you cannot share directly with the NSA, and the Senate version is unclear on that. There's one part that says all information has to go to DHS, and there's another part that says you have liability protection when sharing with any federal agency. So, I do think that is confusing and unacceptable to the House. That's a huge problem going forward that is going to have to be worked out."
McCaul told SearchSecurity he is looking forward to working with the Senate on reconciliation, but did not answer questions about specific portions of the bills that might be up for debate.
"I congratulate the Senate for passage of their cybersecurity bill. The House passed our version by a similar overwhelmingly bipartisan vote in April," McCaul said on behalf of the House Homeland Security Committee. "We look forward to going to conference with the Senate to work out our differences and produce a final bill that ensures Americans' privacy and better protects our nation's networks."
The office of Rep. Devin Nunes, R-Calif., sponsor of the original PCNA, also declined to comment on specifics of the reconciliation, but said there are plans to "have a conference before the end of the year, where differences between the bills will be subject to the usual negotiation process."
White House spokesman Eric Schultz told reporters that President Barack Obama was "hopeful that the Senate and House can work together expeditiously to send the best possible bill to the president's desk as soon as possible."
Sweet said that while CISA and PCNA look similar on the surface, "the devil is in the details.
"The differences are still significant, and, in some cases, driven by other agendas. And it's going to be extremely difficult for them to be reconciled," Sweet said. "My guess is the whole set of legislation will be scrapped or new, descoped legislation will be proposed that's more likely to survive."
Kurtz was more hopeful that reconciliation could be achieved.
"Virtually all parties agree that sharing cyber incident data is critical to resolving the enormous challenges we face in cyberspace, and we need a law that removes obstacles to sharing between companies," Kurtz said. "Where matters become complicated is when cyber incident data is shared with government. Here, definitions about what constitutes cyber incident data and provisions about the removal of personally identifiable information will need to be carefully reconciled."
Herold did not comment on the likelihood of reconciliation, but focused on its necessity, because "CISA as it stands will be a data security and privacy smashing behemoth."
"If Congress, whose members expressed widespread outrage at the OPM breach and the exposure of their own data, continues to turn a deaf ear to security and privacy experts on the problems with CISA as it stands, with no accountability and no explicit or effective privacy and security protection requirements, they may find the OPM breach to pale in comparison to what could potentially be done by hackers and criminals with the data repositories that will be even richer in personal data than the OPM data," Herold said.
"Congress needs to listen to those few colleagues of theirs who are security- and privacy-savvy and trying to make them aware of the risks and concerns, and finally understand that it is much less costly, and there will be much less harm to the U.S. population, to require security and privacy protections upfront, and not wait until bad things happen and then try to fix it."
Learn how the OPM breach is a teachable moment for security basics.