Politico
By: Tal Kopan
January 29, 2015
There were familiar flash points but new blood at Wednesday’s cyberthreat information sharing hearing as senators signaled their determination to bring resolution to the stalemated debates of the past.
Questions from members of the Senate Homeland Security and Governmental Affairs Committee returned repeatedly to privacy concerns over information sharing — a “poison pill” issue that sunk last year’s attempt to pass a bill by keeping the Senate Intelligence Committee’s version from even coming to the floor.
But just the fact that the Homeland Security Committee was having the hearing at all — the committee’s first hearing of the 114th Congress and the first on the Hill on information sharing — sent a strong message that its lawmakers are looking to lead on the issue this time around.
“This is something we’re certainly dedicated [to] as Senate Republicans: to move and pass a bill,” Chairman Sen. Ron Johnson (R-Wis.) told reporters after the hearing, which he called “encouraging.”
His ranking member, who chaired the committee in the last Congress, was also clearer than he’s been to date on the committee’s intentions.
“We didn’t much get involved with information sharing [last Congress]. My guess, my expectation, is that we will be much more involved this year,” Sen. Tom Carper (D-Del.) told reporters.
The panel heard from members of the private sector and security community as well as a representative from the privacy and civil liberties space, all of which whom emphasized that information sharing can help improve the nation’s cybersecurity.
But the question of how to craft such a bill was the overarching theme, with many senators focusing on how to protect Americans’ private information from getting swept up into a new collection mechanism.
The draft legislation that President Barack Obama unveiled in the lead-up to the State of the Union address was also a topic of conversation. Witnesses called it a good starting point with some flaws in the details.
Johnson, who waited to ask his questions until the end after all other members had left for votes, grilled the witnesses on the existing proposals on the table, the one from the White House and the Senate Intelligence bill from last year, and where they would fail to get support.
“What is the greatest threat … when you take a look at the White House proposal, what’s coming out of Senate Intel, because that’s what we’re going to be dealing with here in the Senate, either of those two proposals or some kind of combination, what is going to be the biggest threat in terms of crossing the goal line?” Johnson asked, specifically addressing his question first to the privacy rep on the panel, the Center for Democracy and Technology’s Greg Nojeim.
“In other words, what are the poison pills in some of these bills?”
Nojeim laid out three principles he thought would satisfy the privacy community. The type of information that can be shared must be properly defined and companies must be required to remove personal information from anything they share, he said. Next, he said how agencies share information garnered through a portal under civilian control should be clearly defined and protect privacy, so as not to send massive amounts of information to the NSA without checks. He added finally that any legislation should promote company-to-company sharing, not just company-to-government or company-to-hub sharing as the White House proposal does.
Carper also focused his questioning on what the committee could do to build on past work and where it could lead.
“We share jurisdiction on that issue, some would say we actually have maybe more jurisdiction, jurisdictional claim on information sharing than other committees, but we’re going to be working fairly hard in this vineyard fairly soon,” Carper told the witnesses.
Carper cited three existing efforts, the White House proposal, last year’s Senate bill and a different version that passed the House last Congress.
“Using those three as maybe touchstones for us in cobbling together smart legislative policy … what would be one or two major points that you would have us take into mind and consider as we do our work?” he asked the witnesses.
American Express Executive Vice President and CIO Marc Gordon emphasized the need for speedy sharing and making sure government is sharing as much as the private sector. Microsoft Corporate Vice President Scott Charney said past congressional efforts didn’t do enough to protect civil liberties and the White House proposal doesn’t support enough company-to-company sharing, as Nojeim agreed. He also noted that Congress should consider the international ramifications of their work — both in terms of international customers squeamish in the post-Snowden era about their data going to the U.S. government, and in terms of what other governments can ask of companies.
Marsh & McLennan Executive Vice President and general counsel Peter Beshar said legislation needs to focus on what data can be shared, and suggested starting with basic cyberthreat indicators. He also noted that the White House proposal requires companies to strip personal data, calling it a “very constructive step forward.” FireEye Chief Security Strategist Richard Bejtlich added that the FBI should get greater resources to fight cybercrime.
Nojeim also praised the White House for adding the obligation to strip personal data and reiterated the importance of putting restrictions on how shared data can be used to ensure that it’s only for cyber purposes or to prevent imminent bodily harm. He added that any countermeasures protected from liability should only be allowed on a company’s own network.
Other lines of questioning focused on the efficacy of any proposal. Freshman Sen. James Lankford (R-Okla.) tried to find a witness who could tell him what percentage of the estimated $100 billion to $450 billion yearly cost of cybercrime could actually be prevented by information sharing. Bejtlich said his security firm finds about one-third of its customers suffer repeat attacks from the same adversary, though no witness had exact statistics.
Freshman Sen. Joni Ernst (R-Iowa) asked how the government can ensure small businesses are protected by the bill and not overburdened by a new sharing regime.
Johnson also asked witnesses what type of bill would actually induce companies to share information. Gordon said protections for company-to-company sharing were once again “tremendously” important, which Nojeim echoed with the caveat that there must be some mechanism to ensure companies play by the rules.
The Democrats on the panel repeatedly brought the conversation back to privacy concerns.
Sen. Tammy Baldwin (D-Wis.) asked the witnesses to specify what actually constitutes personally identifiable information and how legislation should deal with it. Witnesses spent some time debating how to deal with IP addresses, for example, which can both be seen as threat indicators when shared as sources of attacks and as PII when used to identify Internet users. Nojeim recommended legislation keep the definition flexible and in DHS’s hands.
Sen. Cory Booker (D-N.J.) asked about the international implications of the bill, asking how big a concern it is for companies like Microsoft that have foreign customers spooked by the Edward Snowden revelations.
Charney said his company has had to emphasize to customers it is not in the business of giving customer data to the government, complicating information sharing.
Nojeim said if legislation repeated the Senate version from last year, which required instant sharing of information with a range of agencies including NSA, it would be a major problem. He also warned the panel that surveillance reform should be passed by Congress first, so as not to make information sharing seem like the first U.S. government response to the Snowden disclosures.
Johnson said the privacy concerns with past proposals are valid, but also during his questioning made a point to say that cyber incidents are also a threat to privacy. He emphasized that he thinks progress can be made if all sides focus on the common goal of protecting Americans.
“I thought the testimony … was very thoughtful, very helpful, and just talking afterwards to the witnesses, even they were making the comment, ‘We’re pretty darn close on this stuff,’ which is encouraging to me,” Johnson told reporters.