CybersecurityDebate over cyberthreats data sharing bill intensifies

Cybersecurity analysts with DHS’s National Cybersecurity and Communications Integration Center (NCCIC) are advocating the passing of legislation which will provide a legal framework for the private sector to share information with DHS about cyberthreats. The analysts currently monitor possible breaches of government networks, but insist that knowledge of threats posed to the private sector is vital to securing U.S. critical infrastructure spanning sixteen sectors, including finance, energy, and communications.

 “If we don’t know what’s going on, we can’t respond to it,” Larry Zelvin, director of the center, said in an interview with Insurance Journal. “Sometimes we don’t know about an attack until it comes up in the news or social media.”

Senate Intelligence Committee chairwoman Dianne Feinstein (D-California), who authored the Cybersecurity Information Sharing Act (CISA), expects it to pass the Senate and reach President Barack Obama’s desk this year. Companies which choose to participate and share cyberthreat information with DHS will help reduce the number of cyberattacks targeted at U.S. banks, retailers, and energy companies. A recent report by the Center for Strategic and International Studies claims cybercrime costs the private sector as much as $575 billion a year.

Some cybersecurity groups are concerned that DHS is incapable of managing a federal cybercenter. There is a shortageof top cybersecurity professionals within the federal government and many industry watchers question the security of private information under government control, since the cybercenter works with NSA liaisons who operate out of the NCCIC building.

“There are a lot of people in industry that frankly are not comfortable sharing with DHS,” Robert Dix, vice president of government affairs for Juniper Networks, Inc., told Insurance Journal. “There’s also concern about whether or not the information will be protected.”

Privacy advocates generally support the government’s anti-cybercrime efforts, but fear that the NSA’s involvement with the NCCIC will make private data vulnerable to surveillance programs. “Cybersecurity information-sharing legislation should be written such that only cybersecurity threat information is shared with the government and it’s done in a privacy protecting way,” Robyn Greene, policy counsel for the Open Technology Institute, told Insurance Journal. Zelvin insists that the center is interested in securing networks and fighting threats, not personally identifying private individuals. “We’re all about finding the hole, plugging the hole and making sure the hole doesn’t come back,” said Zelvin. “I don’t need your name to do that. I don’t need to know where you live.”

The $163 million annual budget, and 500 analysts and contractors assigned to the Arlington, Virginia-based NCCIC, currently allow it to protect federal civilian networks such as the Social Security Administration or the Department of Health and Human Services. The center monitors classified NSA intelligence about foreign hackers and reviews space-weather reports to prepare for solar flares that could shut down satellites and interrupt global communications.

While NCCIC has issued roughly 12,000 security alerts to the public and private sector regarding cyberthreats, it lacks the authority to engage with the private sector on the specifics of each hacking attempt unless a cybersecurity sharing bill is passed by the Senate and approved by Obama. For now, representatives of the largest critical infrastructure sectors regularly meet with NCCIC officials to discuss general cyberthreats and proactive measures. “What I most worry about is we may rush to legislation after” a large cyber-attack, Zelvin said. “It would be much better to be more thoughtful now.”