IT Support and Hardware for Clinics
32.4K views | +7 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

Compromise on Info-Sharing Measure Grows

Compromise on Info-Sharing Measure Grows | IT Support and Hardware for Clinics | Scoop.it

A willingness to compromise expressed at a Feb. 25 House hearing on President Obama's cyberthreat information sharing initiative offered a sign of hope that long sought legislation to get businesses to share such data could pass Congress this year and be signed into law.

The tone of the discussion at the hearing was far different than in the past two congresses, when the White House threatened presidential vetoes of cyberthreat information sharing measures that passed the House of Representatives.


Congressional Republicans and the Democratic president and his supporters differed in the past over how an information sharing law should address liability protections and privacy safeguards. The White House maintained the liability protections in the Republican-sponsored legislation were too broad and that privacy safeguards were too weak. The GOP argued the liability provisions in their bills - which had some Democratic backers - were needed to get the private sector to participate in the voluntary information sharing program and that the privacy protections the White House sought would be too costly for some businesses to implement.

But those differences seem to have narrowed at the Feb. 25 House Homeland Security Committee, where an expression of willingness to seek compromise surfaced from both sides.

Bone of Contention

"It is, sometimes, a bone of contention between both sides of the aisle," House Homeland Security Committee Chairman Mike McCaul, R-Texas, said, referring to differing views on liability protection. But McCaul congratulated administration representatives at the hearing for presenting the president's plan and saw merit in its proposals. "I talked to the private sector; they like the liability protections that are presented here," he said, especially in regards to sharing data with the government.

Still, McCaul said some business leaders had reservations about the liability protection in Obama's plan for businesses that want to share cyberthreat information with other business.

The president's proposal would provide liability protection for businesses that share cyberthreat data with DHS's National Cybersecurity and Communications Integration Center, known as NCCIC. Under Obama's plan, those protections aren't extended to businesses that share information with each other directly but would be covered if the data is shared through newly formed information sharing and analysis organizations, or ISAOs. "What the legislation provides is that the private sector can share among themselves through these appropriate organizations and enjoy the same liability protections for providing that information to those organizations," said Undersecretary Suzanne Spaulding, who runs the National Protection and Programs Directorate, the DHS entity charged with collaborating with business on cybersecurity.

Working Out Legislative Language

McCaul responded that the liability protections to share information with NCCIC could serve as the "construct" to share data among businesses, suggesting specific legislative language could be worked out between Congress and the administration. "We can discuss that more as this legislation unfolds," he said.

Rep. Curt Clawson, a Florida Republican who led several multinational corporations before his election to Congress in 2014, said getting buy-in to share cyberthreat information with the U.S. government from companies with global operations and stakeholders could prove to be "a tough sale."

"My world is all about multiple stakeholders," Clawson said, addressing Spaulding. "We're trying to protect our customers, our suppliers, the communities that we live in, and what I've read so far of what you proposed just doesn't feel like a compelling case that I can take to my multinational board of directors. ... Any private-sector CEO would be negligent to go along on the basis of trust" without the U.S. government providing a detailed plan on what information is being sought and how it would be used.

Spaulding said the government will build that trust and agreed with Clawson that the "devil is in the details" of a final legislative plan. She said information to be shared would be minimal and technical, such as explicit cyberthreat indicators, IP address and specific types of malware. The undersecretary said the government would be transparent on the types of information it seeks and receives and develop policies and protocols to protect proprietary as well as personally identifiable information. "This isn't going to make every company open its doors," Spaulding said. "But it does address concerns that we've heard from the private sector, and there will be a fair amount of detail about precisely what we're talking about sharing here."

Though not totally persuaded, Clawson offered to work with DHS on the legislation, an offer Spaulding accepted.

Stripping PII from Shared Data

Another partisan difference is the Obama administration's insistence that companies strip personally identifiable information from data before it's shared, an act that some Republicans say puts a financial burden on businesses. Phyllis Schneck, DHS deputy undersecretary for cybersecurity, explained that under Obama's proposal, companies would need to make a "good-faith effort" to remove PII, conceding that it is a "policy puzzle" that needs to be solved by the private sector working with law enforcement and the intelligence community. "We're doing our best to get everybody to design that," Schneck said.

Regardless of how the final language of a cyberthreat sharing bill reads, such legislation is only one part of a solution to mitigate cyberspace risks. "Information sharing is no silver bullet," said Eric Fischer, senior specialist for science and technology at the Congressional Research Service. "It's an important tool for protecting systems and their contents. As long as organizations are not implementing even basic cyber hygiene, there are going to be some significant difficulties."

Fischer cited a Hewlett-Packard study that shows 45 percent of companies lack basic cyber hygiene. "There have been cases where companies had the information, but nevertheless did not pay sufficient attention to it," he said. "They had information that could have prevented an attack. If a company is not prepared to implement threat assessments that they receive, then that's going to be a problem."


more...
No comment yet.
Scoop.it!

Sizing Up the Impact of Partial DHS Shutdown

Sizing Up the Impact of Partial DHS Shutdown | IT Support and Hardware for Clinics | Scoop.it

The expansion of some major federal government cybersecurity initiatives would be suspended if Congress does not fund the Department of Homeland Security by week's end, triggering a partial shutdown.

Initiatives to expand the Einstein 3 intrusion prevention and continuous diagnostic and mitigation programs to a number of federal civilian agencies would be placed on hold if Congress fails to come up with the money by Feb. 27, when a temporary DHS appropriation ends.

"A shutdown would prevent us from bringing aboard those [programs] and essentially stop those agencies from receiving the protection that they need from the cyberthreats out there," says Andy Ozment, DHS assistant secretary for cybersecurity and communications.

About 43 percent of the staff at the National Protection and Program Directorate - the DHS entity that oversees its cybersecurity programs - would be furloughed if Congress fails to enact funding legislation that President Obama would sign, according to an estimate by the Congressional Research Service. Ozment says that furlough figure includes 140 employees from the National Cybersecurity and Communications Integration Center, the DHS unit that coordinates cyberthreat information sharing with federal agencies; local, territorial, tribal and state governments; the private sector and international organizations.

Will Systems Be at Risk?

Although Ozment, in testimony earlier this month to a House panel, said the furloughs would have an adverse impact on the government's cybersecurity activities, he stopped short of saying federal IT systems would be placed at risk by a partial shutdown.

"Without these staff, the NCCIC's capacity to provide a timely response to agencies or critical infrastructure customers seeking assistance after a cybersecurity incidents would be decreased and we would be less able to conduct expedited technical analysis of cybersecurity threats," Ozment testified at a Feb. 12 hearing of the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies.

Funding DHS's cybersecurity initiatives - which has widespread support from among Democrats and Republicans in Congress - is caught up in a highly partisan political battle over President Obama's executive order to shield millions of illegal immigrants in the United States from deportation. The House in January passed a DHS appropriations bill that would fund most department programs, including those for cybersecurity, but withholds money from initiatives that would support Obama's executive action on immigration. With a threat of a Senate filibuster by Democratic members, as well as a presidential veto, the House bill has stalled in the upper chamber.

Lamentable But Not Perilous

Jason Healey, a cybersecurity expert at the think tank The Atlantic Council, says he doubts the failure to fund DHS cybersecurity initiatives would create significant risk to either government or critical private networks. "That seems like it's a lamentable thing that they can't continue [funding], but it doesn't worry me too much," he says, adding that other federal agencies work to help safeguard government networks and critical IT systems in the private sector, including the FBI.

Besides the temporary suspensions of the Einstein 3 and continuous diagnostic and mitigation programs, also known as continuous monitoring, Ozment said a partial shutdown would halt development of new programs to secure IT. "We would be unable to continue planning our next generation of information sharing capabilities that are necessary to make our information sharing real-time and automated in order to enable us to combat highly sophisticated cyberthreats," he said.


more...
No comment yet.