June 24, 2014 The Honorable Dianne Feinstein The Honorable Saxby
June 24, 2014
The Honorable Dianne Feinstein Chairman Select Committee on Intelligence United States Senate Washington, DC 20510
The Honorable Saxby Chambliss Vice Chairman Select Committee on Intelligence United States Senate Washington, DC 20510
Dear Chairman Feinstein and Vice Chairman Chambliss: The U.S. Chamber of Commerce, the world’s largest business federation representing the interests of more than three million businesses of all sizes, sectors, and regions, as well as state and local chambers and industry associations, and dedicated to promoting, protecting, and defending America’s free enterprise system, supports the goals of the draft “Cybersecurity Information Sharing Act of 2014,” which is expected to be marked up on Thursday. The Chamber looks forward to reviewing the bill and amendments after the markup to determine our support for the measure. The Chamber commends you and your staff members for writing legislation in an open manner, which would make progress toward enacting a smart and effective cyber informationsharing program while respecting privacy. A goal of the Chamber’s cybersecurity policy is to persuade businesses to share cyber threat information with appropriate industry peers and government partners to strengthen U.S. systems against sophisticated and malicious actors (e.g., criminal gangs and foreign powers or their proxies) and make the costs of hacking increasingly steep. Businesses overwhelmingly tell us that they need safeguards to increase their sharing capabilities, which specifically benefit companies and their customers and U.S. economic security. The bill’s array of protections—including limited liability, disclosure, regulation, and antitrust—should positively influence businesses’ decisions to share cyber threat data and countermeasures more quickly and frequently. What is important is that the bill is headed in the right direction. However, the Chamber urges the committee to make additional changes to create a bidirectional information-sharing program that is more workable in practice. The Chamber provided the committee with comments and recommendations on May 20 regarding the first draft bill. Some of the Chamber’s recommendations were accepted—and we
appreciate this. This letter includes some of the Chamber’s ongoing priorities that are applicable to the latest draft.
The Department of Homeland Security (DHS) portal shouldn’t be the only civilian entity to receive electronic information (section 4). The bill seems to make clear that businesses would be permitted to share and receive cyber threat indicators (CTIs) with other businesses and operate countermeasures. But the central issue that stakeholders are wrestling with is the manner in which businesses are granted protections when sharing with the federal government. The legislation would create a “capability and process” in DHS—dubbed a portal in familiar conversation—to accept CTIs submitted in “electronic format.” The Chamber agrees with the committee’s position that information shared with the government through a real-time, automated process must first go through a civilian portal, such as DHS. It is reasonable to expect that civilian agencies and departments should be the primary conduits to government from the private sector when information sharing is happening at Internet speeds and company personnel are not directly involved. But there are many avenues for sharing CTIs in an electronic format, including email. Chamber members already have trusted and effective relationships with civilian agencies and departments. We are reluctant to force businesses to steer seemingly much electronic threat data exclusively through the DHS portal, despite some of the exceptions listed on pages 22–23, in order to receive liability and related protections. To the extent that businesses are incented by the bill to share narrowly focused CTIs, they should receive safeguards when such sharing occurs, not only with the DHS portal but with any appropriate federal civilian entity.
Don’t regulate businesses that are trying to do the right thing (sections 4 and 5). Provisions of the bill are troubling that suggest agencies and departments would have new authority to regulate businesses in light of information that is given to the public sector from the private sector. The Chamber urges the committee to strike sections 4(d)(4)(C), “State, Tribal, and Local Regulatory Authority,” and 5(d)(5)(D), “Federal Regulatory Authority.” It is unclear what business value the regulatory provisions offer companies that take the initiative, and assume the risks, to share threat data.
Personally identifying information (PII) removal mandate sends small and mediumsize businesses (SMBs) the message to avoid sharing threat data (section 4). The bill’s call for PII to be removed by businesses that share CTIs would have the unintended consequence of preventing SMBs, and even some large enterprises, from participating in an information-sharing program. Presumably, more participation from organizations is better than less.
The Chamber’s experience suggests that owners and managers who lack the resources or the confidence that they can scrub PII adequately would likely err on the side of not sharing cyber threat data for fear of incurring public or private liability. To be sure, this outcome is not the intent of the committee, but it is necessary to note that this is the likely response that many businesses would have to this provision.
“Construction” provisions add uncertainty to actions that are protected (section 4). The Chamber applauds the committee for removing the word “only,” which was bracketed in the initial draft. The Chamber believes that keeping the word “only” in the bill would have led to an overly restrictive interpretation of permissible actions that come with safeguards for business. However, in taking out the uses of “only” in the first draft, the committee amended or added new “construction” provisions, which is causing confusion about actions permitted by the Act—including monitoring, using countermeasures and CTIs, and sharing and receiving CTIs. Of particular concern, a company may decide to monitor its networks and systems, or those of a customer, to protect trade secrets or mitigate insider threats. The construction clause on page 11 may unintentionally preclude such actions, which many businesses view as central to managing cyber risks. In addition, private entities monitor their information systems for operational, maintenance, and other routine matters in the normal course of business.
Government-to-business information sharing must be enhanced (section 3). The Chamber believes that the bill should put greater emphasis on enhancing government-to-business sharing. The bill incentivizes businesses to share cybersecurity information with the government, including real-time sharing—but government-tobusiness sharing is only supposed to be “timely” (page 10), which strikes us as vague and an imbalanced relationship. The committee may be limited in what it can authorize. Yet businesses frequently tell us that they need more actionable and up-to-the-minute threat data that only government entities possess.
The Chamber thanks you for taking the lead in drafting a sensible measure to remove legal hurdles preventing the private sector and government from rapidly sharing targeted cyber threat information. The Chamber urges the committee to make further changes to help the information-sharing program function more effectively in practice. The Chamber looks forward to reviewing the bill following the markup to determine our support for the base measure and any amendments. *** Most policymakers and practitioners appreciate that the intent of your bill is not to spur more information sharing for its own sake. Rather, the goal is to help companies achieve timely and actionable situational awareness to improve the business community’s and the nation’s detection, mitigation, and response capabilities.
Additional positive side effects of enacting the bill include strengthening the security of personal information that is maintained on company networks and systems and increasing costs on nefarious actors, such as rogue hackers, criminal gangs, and groups carrying out cyber attacks at the behest of nation states. (The United States needs to coherently shift the costs associated with digital attacks in ways that are swift, legal, and proportionate relative to the risks and threats.) The bill would also complement the National Institute of Standards and Technology (NIST)-coordinated cybersecurity framework, which many industry associations and companies are embracing and promoting with their business partners.* The Chamber looks forward to working with you and your staff members as the bill advances in the Senate. Sincerely,
R. Bruce Josten cc: Members of the Select Committee on Intelligence
*
See the June 11, 2014, multiassociation letter to Michael Daniel, White House special assistant to the president and cybersecurity coordinator, which is available at www.uschamber.com/sites/default/files/documents/files/11June14GroupLetterTYReplytoDanielCyberBlog_Final_0.pdf.
The Honorable Dianne Feinstein Chairman Select Committee on Intelligence United States Senate Washington, DC 20510
The Honorable Saxby Chambliss Vice Chairman Select Committee on Intelligence United States Senate Washington, DC 20510
Dear Chairman Feinstein and Vice Chairman Chambliss: The U.S. Chamber of Commerce, the world’s largest business federation representing the interests of more than three million businesses of all sizes, sectors, and regions, as well as state and local chambers and industry associations, and dedicated to promoting, protecting, and defending America’s free enterprise system, supports the goals of the draft “Cybersecurity Information Sharing Act of 2014,” which is expected to be marked up on Thursday. The Chamber looks forward to reviewing the bill and amendments after the markup to determine our support for the measure. The Chamber commends you and your staff members for writing legislation in an open manner, which would make progress toward enacting a smart and effective cyber informationsharing program while respecting privacy. A goal of the Chamber’s cybersecurity policy is to persuade businesses to share cyber threat information with appropriate industry peers and government partners to strengthen U.S. systems against sophisticated and malicious actors (e.g., criminal gangs and foreign powers or their proxies) and make the costs of hacking increasingly steep. Businesses overwhelmingly tell us that they need safeguards to increase their sharing capabilities, which specifically benefit companies and their customers and U.S. economic security. The bill’s array of protections—including limited liability, disclosure, regulation, and antitrust—should positively influence businesses’ decisions to share cyber threat data and countermeasures more quickly and frequently. What is important is that the bill is headed in the right direction. However, the Chamber urges the committee to make additional changes to create a bidirectional information-sharing program that is more workable in practice. The Chamber provided the committee with comments and recommendations on May 20 regarding the first draft bill. Some of the Chamber’s recommendations were accepted—and we
appreciate this. This letter includes some of the Chamber’s ongoing priorities that are applicable to the latest draft.
The Department of Homeland Security (DHS) portal shouldn’t be the only civilian entity to receive electronic information (section 4). The bill seems to make clear that businesses would be permitted to share and receive cyber threat indicators (CTIs) with other businesses and operate countermeasures. But the central issue that stakeholders are wrestling with is the manner in which businesses are granted protections when sharing with the federal government. The legislation would create a “capability and process” in DHS—dubbed a portal in familiar conversation—to accept CTIs submitted in “electronic format.” The Chamber agrees with the committee’s position that information shared with the government through a real-time, automated process must first go through a civilian portal, such as DHS. It is reasonable to expect that civilian agencies and departments should be the primary conduits to government from the private sector when information sharing is happening at Internet speeds and company personnel are not directly involved. But there are many avenues for sharing CTIs in an electronic format, including email. Chamber members already have trusted and effective relationships with civilian agencies and departments. We are reluctant to force businesses to steer seemingly much electronic threat data exclusively through the DHS portal, despite some of the exceptions listed on pages 22–23, in order to receive liability and related protections. To the extent that businesses are incented by the bill to share narrowly focused CTIs, they should receive safeguards when such sharing occurs, not only with the DHS portal but with any appropriate federal civilian entity.
Don’t regulate businesses that are trying to do the right thing (sections 4 and 5). Provisions of the bill are troubling that suggest agencies and departments would have new authority to regulate businesses in light of information that is given to the public sector from the private sector. The Chamber urges the committee to strike sections 4(d)(4)(C), “State, Tribal, and Local Regulatory Authority,” and 5(d)(5)(D), “Federal Regulatory Authority.” It is unclear what business value the regulatory provisions offer companies that take the initiative, and assume the risks, to share threat data.
Personally identifying information (PII) removal mandate sends small and mediumsize businesses (SMBs) the message to avoid sharing threat data (section 4). The bill’s call for PII to be removed by businesses that share CTIs would have the unintended consequence of preventing SMBs, and even some large enterprises, from participating in an information-sharing program. Presumably, more participation from organizations is better than less.
The Chamber’s experience suggests that owners and managers who lack the resources or the confidence that they can scrub PII adequately would likely err on the side of not sharing cyber threat data for fear of incurring public or private liability. To be sure, this outcome is not the intent of the committee, but it is necessary to note that this is the likely response that many businesses would have to this provision.
“Construction” provisions add uncertainty to actions that are protected (section 4). The Chamber applauds the committee for removing the word “only,” which was bracketed in the initial draft. The Chamber believes that keeping the word “only” in the bill would have led to an overly restrictive interpretation of permissible actions that come with safeguards for business. However, in taking out the uses of “only” in the first draft, the committee amended or added new “construction” provisions, which is causing confusion about actions permitted by the Act—including monitoring, using countermeasures and CTIs, and sharing and receiving CTIs. Of particular concern, a company may decide to monitor its networks and systems, or those of a customer, to protect trade secrets or mitigate insider threats. The construction clause on page 11 may unintentionally preclude such actions, which many businesses view as central to managing cyber risks. In addition, private entities monitor their information systems for operational, maintenance, and other routine matters in the normal course of business.
Government-to-business information sharing must be enhanced (section 3). The Chamber believes that the bill should put greater emphasis on enhancing government-to-business sharing. The bill incentivizes businesses to share cybersecurity information with the government, including real-time sharing—but government-tobusiness sharing is only supposed to be “timely” (page 10), which strikes us as vague and an imbalanced relationship. The committee may be limited in what it can authorize. Yet businesses frequently tell us that they need more actionable and up-to-the-minute threat data that only government entities possess.
The Chamber thanks you for taking the lead in drafting a sensible measure to remove legal hurdles preventing the private sector and government from rapidly sharing targeted cyber threat information. The Chamber urges the committee to make further changes to help the information-sharing program function more effectively in practice. The Chamber looks forward to reviewing the bill following the markup to determine our support for the base measure and any amendments. *** Most policymakers and practitioners appreciate that the intent of your bill is not to spur more information sharing for its own sake. Rather, the goal is to help companies achieve timely and actionable situational awareness to improve the business community’s and the nation’s detection, mitigation, and response capabilities.
Additional positive side effects of enacting the bill include strengthening the security of personal information that is maintained on company networks and systems and increasing costs on nefarious actors, such as rogue hackers, criminal gangs, and groups carrying out cyber attacks at the behest of nation states. (The United States needs to coherently shift the costs associated with digital attacks in ways that are swift, legal, and proportionate relative to the risks and threats.) The bill would also complement the National Institute of Standards and Technology (NIST)-coordinated cybersecurity framework, which many industry associations and companies are embracing and promoting with their business partners.* The Chamber looks forward to working with you and your staff members as the bill advances in the Senate. Sincerely,
R. Bruce Josten cc: Members of the Select Committee on Intelligence
*
See the June 11, 2014, multiassociation letter to Michael Daniel, White House special assistant to the president and cybersecurity coordinator, which is available at www.uschamber.com/sites/default/files/documents/files/11June14GroupLetterTYReplytoDanielCyberBlog_Final_0.pdf.
