Last Wednesday, lawmakers on the Senate Homeland Security Committee heard testimony from four private sector executives and an internet advocate regarding cyberthreat information sharing. It was the first hearing on the hot-topic issue for the 114th Congress and shows that the new Congress is serious about tackling cybersecurity issues.
*The Senate Commerce, Science, and Transportation Committee memo can be found here*
Hearing Memo
Protecting America from Cyber Attacks: The Importance of Information Sharing
Senate Homeland Security and Government Affairs Committee
January 28, 2015
Witnesses
Marc D. Gordon
Executive Vice President and Chief Information Officer
American Express
Scott Charney
Corporate Vice President
Trustworthy Computing Group
Microsoft Corporation
Peter J. Beshar
Executive Vice President and General Counsel
Marsh & McLennan Companies, Inc.
Richard Bejtlich
Chief Security Strategist
FireEye
Gregory T. Nojeim
Senior Counsel and Director
Freedom, Security & Technology Project
Center for Democracy & Technology
Key take-aways:
- Congress should pass information sharing legislation with strong liability protections
- Information sharing legislation must strip out personally identifiable information (PII) in order to protect consumers’ privacy
- What the US Congress does in this space will influence what their international counterparts do in this space as well
- US companies could be disadvantaged internationally if consumers in other countries are afraid that their PII will be turned over to the US Government
- Cyber insurance is a good private sector incentive for cyber mitigation
Ranking Member Tom Carper (D-DE) asked the witnesses what they believe is most important…
Gordon: “Real time” sharing; encourage and facilitate company-to-company sharing through liability protection; extend protection to “acting” on the information, not just sharing it; and the bi-directional nature of sharing…not just the private sector sharing information with the US government, but the government sharing information with the private sector as well.
Charney: Go further with civil liberties; don’t interfere with the current public and private information sharing that is taking place; look at the international side…whatever Congress does, international bodies might emulate, which could create problems for companies.
Beshar: The hierarchy of data…look at cyber threat indicators and avoid going too deep; strip out personally identifiable information (PII).
Bejtlich: Third party notification; use what is already in place to get more prosecutions.
Nojeim: Strip out PII before data is shared (the President’s proposal does this, but CISA last year did not); place restrictions on what the collected data can be used for – keep it to just cyber security and law enforcement (the President’s proposal is better on this point than CISA); restrict or limit counter-measures to things done on your own network…don’t use a victim’s network.
Senator James Lankford (R-OK) asked what the economic impact, or cost savings, will be if we have information sharing in place and can prevent losses? What is next after information sharing?
Gordon: We might not prevent the first attack, but we might prevent the subsequent repeat attacks.
Charney: What comes next is high-level protection, detective capabilities, and fast response processes. Historically, even the most secure systems have hard exteriors that are difficult to penetrate, but soft centers, where it’s easy for hackers to move around once in. Companies need to beef up those soft interior layers.
Senator Cory Booker (D-NJ) asked what can government do to incentivize or mandate levels of cyber hygiene? Are we going to create perverse business incentives for over-sharing that would result in giving the government even more data?
Nojeim: The government shouldn’t mandate…technology changes too quickly. You can incentivize minimum levels.
Bejtlich: Insurance is an incentive from the private sector. Government should focus on counter-attack and prosecutions.
Charney: Lead by example.
Gordon, Beshar: Focus on cyber threat indicators and strip out the PII.
Nojeim: Narrowly define the information that is to be shared; require companies to strip out irrelevant PII; liability protections should only apply when companies follow those rules. Congress shouldn’t try to define/list what is PII in statute. There should be a proposed regulation that requires DHS to collect input from the private sector. This allows DHS to update the definition of PII periodically.
Charney: When you need PII so you can attribute and defend – put protections in place to narrowly define what is shared.
Senator Joni Ernst (R-IA) asked how can we get small businesses to participate?
Bejtlich: Cloud computing is a good benefit. If the cloud company has a good security program, it takes the IT duty away from the mom-and-pop business and puts it on the larger, more capable IT company.
Beshar: The NIST framework is a helpful tool.
Senator Kelly Ayotte (R-NH) asked how can law enforcement get more prosecutions?
Bejtich: International cooperation; training; make it a career path.
Senator Ayotte also asked, what are the challenges/dangers of cloud-based computing for small businesses?
Charney: Security becomes a shared responsibility. There must be built-in security measures. Don’t rely on the end-users.
Senator Ron Johnson (R-WI) asked, what are landmines we need to avoid?
Nojeim: Narrowly define/strip out PII; provide liability protection only when those rules are followed; shared data should go to DHS, which then applies privacy and shares with the other government agencies who need it.
There could be difficulty with IP addresses because those can be personally identifiable, but are often needed to identify what was attacked or where the attack came from. For the telephone/cable companies, this would be customer information.
Senator Ron Johnson (R-WI) also asked about data breach notification..
Gordon: A single notification law that pre-empts the 50 state laws would make sense.
Charney: There is concern about when notification should be sent. We don’t want to send partial notification and compromise the investigation; a prescriptive time frame doesn’t work; “reasonable” is the right standard.
Bejtlich: The term “breach” has to be properly defined.