A cybersecurity turf war at home and abroad

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://personalliberty.com/a-cybersecurity-turf-war-at-home-and-abroad/

The House passed not one, but two, bills last week to provide immunity from
consumer lawsuits to companies that share with each other, and with the
government, information about cyberthreats and attacks on their networks.

It’s clear that majorities of both parties believe greater cooperation
between business and government is needed to fight the hackers who have
stolen data from some of America’s biggest companies.

What’s less clear is how the process is going to work. In passing two
bills, instead of one, House leaders gave an ambiguous answer.

The differences between the bills are significant. The first bill, a
product of the Intelligence Committee, would allow companies to share data
with any federal agency, except the Defense Department, and receive
liability protection.

The second bill, drafted by Homeland Security Committee Chairman Michael
McCaul of Texas, would require that companies go to the National
Cybersecurity and Communications Integration Center, a new division within
the Homeland Security Department, if they want immunity.

Both McCaul and Intelligence Committee Chairman Devin Nunes of California,
who sponsored his committee’s bill, had only praise for each other last
week. But normally committee chairmen who both have a stake in an issue and
want to produce the best possible bill work together to reconcile
differences in advance of a vote. In this case, they didn’t.

It’s no surprise that McCaul wants the new Homeland Security Department
cybersecurity center to play a critical role. He sponsored the bill that
created it last year and he was annoyed earlier this year when President
Barack Obama announced the creation of a new agency, under the Director of
National Intelligence, to coordinate the government’s cybersecurity
response. McCaul wrote to Obama in protest. He said the two centers
appeared to be duplicative.

But the Intelligence Committee bill passed last week would give the new
White House cybersecurity center, known as the Cyber Threat Intelligence
Integration Center, Congress’ blessing by authorizing it.

“Because there seems to be some kind of turf war between the Intelligence
Committee and the Homeland Security Committee, we’re actually voting on two
overlapping bills that in several respects contradict one another,”
Democratic Rep. Jared Polis of Colorado said during the floor debate last
week.

The measures differ in another significant way. McCaul’s bill would allow
the Homeland Security Department to share cyberthreat information it
receives from companies with other government agencies, but they’d be
barred from doing anything with it except fight hackers.

The Intelligence Committee bill would allow the government to use the data
to respond to, prosecute or prevent “threats of death or serious bodily
harm,” as well as “serious threats to minors, including sexual exploitation
and threats to physical safety.”

Polis, whose view was clearly in the minority, argued that might allow the
feds to go after him for failing to babyproof his house.

The bills have other differences. Their definitions of what qualifies as
cyberthreat information vary, as do their definitions of the “defensive
measures” the bill authorizes companies to take to combat hackers.

Both bills aim to ensure that personal information about consumers that’s
irrelevant to a cybersecurity threat isn’t distributed. They do that by
requiring both the companies sharing data and the government agencies
receiving it to erase it.

But McCaul’s bill would task the Homeland Security Department’s chief
privacy officer and its officer for civil rights and civil liberties, in
consultation with an independent federal agency known as the Privacy and
Civil Liberties Oversight Board, with ensuring that happens. The Nunes
bill, by contrast, would place responsibility for writing privacy
guidelines in the hands of the attorney general.

House leaders will get to decide what happens next. A House leadership aide
said Nunes will get his way on at least one of the big issues: Companies
will be able to provide cyberthreat information to any non-Defense
Department agency and receive liability protection. It’s not yet clear how
the leaders will come down on the other differences.

It is clear that privacy advocates, as well as House members, prefer
McCaul’s bill. It passed with 355 yeas compared to 307 for Nunes’ bill. But
if only one of them is to become law, it’s more likely to be the Nunes bill.

The Senate’s companion measure is an Intelligence Committee bill sponsored
by Republican Richard M. Burr of North Carolina, who’s well known for
stressing security over privacy. Burr last week introduced a bill to extend
the authorization for the National Security Agency’s controversial phone
record collection program to 2020. His cybersecurity bill hews more closely
to the Nunes version than McCaul’s.

Senate Majority Leader Mitch McConnell of Kentucky hasn’t set a date for
considering Burr’s bill, but it is expected to pass easily. The
Intelligence Committee approved it in March on a 14-1 vote. Only civil
liberties advocate Ron Wyden, an Oregon Democrat, objected.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!