A group of Republican senators have re-introduced a cyber security bill that would address how digital information can be shared among the private sector and the federal government.
The Strengthening and Enhancing Cyber Security by Using Research, Education, Information and Technology (SECURE IT) Act aims to remove legal barriers that prevent companies from sharing cyber threat information with each other and the government.
Similar to the Cyber Intelligence Sharing and Protection Act (CISPA), which passed the House of Representatives in April, SECURE IT, introduced last week, would allow companies to legally share data gathered from their networks with other companies, law enforcement agents and government agencies in order to enhance cyber protections. Privacy advocates warned that the earlier version, introduced March 1, would allow the government – by giving them access to private online information – to spy on Americans.
The latest version of SECURE IT addresses those concerns by having a stricter definition of "cyber threat information" and clarifying that the government cannot use or retain the data received as part of the information-sharing program for other purposes. The government would also need to obtain prior written consent from the private sector to use the information for law enforcement purposes. Federal contractors would also have to notify customers of any security incidents affecting service.
While the changes are promising, there is still flexibility on the definition of the information that can or cannot be shared, Marc Maiffret, CTO of BeyondTrust, a vendor of privileged identity management (PIM) solutions, told SCMagazine.com.
Instead of focusing on the sharing of data that may not benefit everyone, Congress should pass a federal breach notification law.
"There are too many breaches happening that we never hear about," Maiffret said.Sens. John McCain of Arizona, Kay Bailey Hutchison of Texas, Chuck Grassley of Iowa, Saxby Chambliss of Georgia, Lisa Murkowski of Alaska, Dan Coats of Indiana, Ron Johnson of Wisconsin, and Richard Burr of North Carolina are backing the legislation.
“Our bill focuses on giving companies and the government the tools and knowledge they need to protect themselves from cyber threats, and creates new important requirements for government contractors to notify their agencies of significant cyber attacks to their systems,” Hutchinson said in a statement.
The bill is an alternative to the Cybersecurity Act, earlier proposed by Sens. Joe Lieberman, I-Conn., and Susan Collins, R-Maine, and favored by many Senate Democrats and the White House.
The Cybersecurity Act goes much further than SECURE IT in that it addresses cyber security issues beyond just information sharing, Rick Dakin, CEO of Coalfire, an independent IT audit and compliance consultancy, told SCMagazine.com. SECURE IT looks only at the question of what information should be shared and with whom, and contains less regulation, Dakin said.
SECURE IT is not comprehensive enough, nor does it address all the needed issues to protect Americans, Dakin said.
“Cyber security protection of critical infrastructure should be a national priority."
Brian Ahern, president and CEO of Industrial Defender
It starts with the assumption that companies will share information when something goes wrong, but that often is not the case, he added.
Information sharing must be long-term effort with a framework, which includes an organizational body with actual oversight and mandate, such as what is proposed in the Cyber Security Act, Dakin said. The legislation empowers the U.S. Department of Homeland Security to evaluate the security practices of companies operating networks that have been flagged as being part of the country's critical infrastructure.
“Cyber security protection of critical infrastructure should be a national priority," Brian Ahern, president and CEO of Industrial Defender, which offers products and services to protect critical infrastructure, told SCMagazine.com. A significant majority of the nation's critical infrastructure, which includes electrical grids and gas pipelines, is owned and managed by the private sector, which may or may not have strict policies in place to protect the networks, Ahern said.
But, the Republicans have argued that the security framework proposed in the Cyber Security Act burden businesses and won't actually improve cyber security. SECURE IT does not give the federal government any new regulatory authority to set cyber security standards.
"A bill shouldn't prevent the sharing of cyber threat information, but rather aid the public and private sectors in working collaboratively, with trusted and open lines of communication to ensure the most timely sharing of critical cyber security information,” Ahern said.Senate Majority Leader Harry Reid, D-Nev., is expected to push for a vote on comprehensive cyber security legislation sometime this month, though if history is any guide, those efforts may fall short.