Testimony: Privacy Protections Needed for Cybersecurity Info Sharing
Congress is accelerating its consideration of cybersecurity legislation, and this morning, CDT’s Greg Nojeim testified before a key House subcommittee regarding a draft bill from Subcommittee Chairman Dan Lungren (R-CA).
CDT’S testimony focused primarily on information sharing, a critical element of improved cybersecurity, but one fraught with risks to privacy. Chairman Lungren’s bill would establish a National Information Sharing Organization (NISO), a non-profit, quasi-governmental organization that is intended to serve as a clearinghouse for the exchange of “cyber threat information” among owners and operators of critical and non-critical networks and systems in the private sector, government, and educational institutions.
We like the fact that the sharing entity in the Lungren bill is not government-centric. In this regard, we prefer Chairman Lungren’s approach to the Administration’s proposal and to legislation recently reported by the House Intelligence Committee. However, we stressed that the information sharing provisions in the Lungren bill need to be clarified. We offered some concrete suggestions, and the Chairman asked for further input, which we will be providing.
CDT’s testimony applauded the light regulatory touch Chairman Lungren’s bill offers. The bill generally relies on market incentives rather than government mandates, and thus would be more likely to strengthen cybersecurity without inhibiting security innovation.
We also applauded the provisions of the bill that cement the Department of Homeland Security’s role as the lead federal agency for cybersecurity for the civilian government and private industry. CDT believes DHS is best suited for this role—as opposed to an element of the Defense Department, such as Cyber Command or the NSA—because a civilian agency will ensure greater transparency for the cybersecurity program and thereby generate the trust needed for the program to succeed.