Private sector executives praised the information-sharing implementation of the Cybersecurity Act of 2015 during a House subcommittee hearing on Wednesday. The hearing witnesses celebrated the legislation's protections from liability.
The previous “lack of such protections was one of the most serious impediments to sharing information,” United States Telecom Association vice-president of industry and state affairs Robert Mayer told House lawmakers.
In contrast to the vocal objections raised by privacy and civil liberties groups opposed to the legislation last year, the private sector representatives who testified before the Cybersecurity, Infrastructure Protection, and Security Technologies subcommittee were broadly supportive of the bill. The witnesses represented an IT automation firm, a telecom industry group, and a financial threat sharing platform. Information security researchers and privacy groups were not represented at the hearing.
During opening comments, Rep. John Ratcliffe (R-TX), chairman of the Cybersecurity, Infrastructure Protection, and Security Technologies subcommittee, referred to the controversial approval in within the 2016 omnibus spending package as “a significant accomplishment that was years in the making.” He stressed the need for the information-sharing legislation, noting that adversaries of the U.S. government are developing cyber attack capabilities. “We cannot leave the American people, the American economy, and our critical infrastructure to fend for itself,” he said.
House Homeland Security Committee Chair Representative Michael McCaul (R-TX) cheered the liability protections allowed in “government-to-private” information sharing and “private-to-private” information sharing that the legislation created. “The legislation was a major win for security and privacy,” McCaul said.
Matthew Eggers, executive director for cybersecurity policy at the U.S. Chamber of Commerce, called it “too soon to make changes to the legislation,” but he mentioned that Wassenaar Agreement control language could weaken the cybersecurity act. “Creating cybersecurity policies and laws in the Wassenaar Agreement environment lacks sufficient transparency and does not advance public-private partnerships at home and abroad,” he said in testimony.
One of the witnesses, representing a telecom industry group, pushed for even greater liability protections in sharing information than those protections already allowed in the legislation. Mayer asked the lawmakers to consider altering language that limits companies from knowingly revealing “personal information unrelated to a cybersecurity threat.” He argued that the language would “spur reticence on the part of companies who could fear enforcement action”.
On the other hand, advocating the need for caution, an information security professional stressed the need for “system of check and balances,” in an email to SCMagazine.com. “Without the proper oversight, will anything actually improve?” asked Stephen Gates, Chief Research Intelligence Analyst at enterprise network security provider NSFOCUS.
Another industry pro encouraged greater threat sharing information with security researchers. Armor CSO Jeff Schilling called the legislation “a great first step in setting up the framework for government to private collaboration,” in an email to SCMagazine.com. “I would like to see how we can get government informed threat persona context passed to our cyber security researchers and I know the government would love to get the technical data we see in the last tactical mile of a cyber attack in our enterprise environments.”