Both Congress and President Barack Obama are taking measures to facilitate information sharing between the government and private companies on cyber threats.
The bill would authorize the sharing of cyber threat data with the National Cybersecurity and Communications Integration Center at the Department of Homeland Security. It would also allow the participation of information-sharing and analysis organizations that have self-certified that they follow best practices for the operation of such organizations.
The bill would also grant liability protections to companies for sharing cyber threat data with the NCCIC or with self-certified information-sharing and analysis organizations.
SB 456 narrowly defines what may be shared among industry and with the federal government to cyber threat data and requires that reasonable efforts be made to minimize data that may be used to identify specific persons. It would also narrowly limit how the federal government could use cyber threat data it receives.
“I invite and encourage all stakeholders to engage with my colleagues on the Homeland Security and Governmental Affairs Committee and me and provide feedback on how we can make this bill better in an open and transparent process,” Carper said in a press release announcing the introduction of the bill. “We must all work together to find a legislative solution that will address our cyber security needs while upholding the civil liberties we all cherish.”
Meanwhile, Obama on Friday is expected to sign an executive order easing the way for government, including the Department of Homeland Security, to share classified cyber threat information with companies, the Wall Street Journal reported Thursday.
“DHS previously wasn’t among the federal agencies that had [the] power” to share classified information, the WSJ wrote. “The change could be substantial, as DHS is supposed to serve as the primary interface between the government and companies when it comes to sharing information about cyber threats.”
The executive order, to be announced at a cybersecurity summit at Stanford University, would be limited in that it would not force private companies to share information; rather it would remain voluntary, the WSJ wrote.
Featured image: Thinkstock