On June 15, 2016, the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing to examine industry perspectives on the implementation of the Cybersecurity Act of 2015 (“CISA” or the “Act”). The witnesses at the hearing were Mr. Matthew J. Eggers, Executive Director of Cybersecurity Policy, National Security and Emergency Preparedness, at the U.S. Chamber of Commerce; Mr. Robert H. Mayer, Vice President of Industry and State Affairs at the United States Telecom Association; Mr. Mark Clancy, Chief Executive Officer at Soltra; Mr. Mordecai Rosen, General Manager, Security Business Unit at CA Technologies; and Ms. Ola Sage, Founder and Chief Executive Officer at e-management.
Each witness expressed overall support of the Department of Homeland Security’s (“DHS”) implementation thus far, while still pointing out current concerns. Mr. Mayer noted that lingering questions concerning statutory liability protections for information sharing remained, but the industry and government are committed to addressing these questions.
In addition, Mr. Mayer expressed concerns regarding the implications of and potential conflicts with draft privacy rules that the Federal Communications Commission (the “FCC”) recently announced. Under CISA, an entity can share personal information if, at the time of sharing, that entity did not knowingly reveal personal information unrelated to the cyber-security threat. However, the FCC proposal would limit protection only to cases when the information sharing is shown to be “reasonably necessary.” Mr. Mayer ended his statement with a comment that they are currently working with the FCC to gain clarity on its proposal.
Mr. Clancy testified that DHS and the Department of Justice (“DOJ”) need to clarify that liability protection under the Act covers sharing between private parties and not just between industry and government. Representative John Ratcliffe (R-TX) resolved this later in the hearing when he noted that the DHS and DOJ released an information sharing guidance that morning titled, “Guidance to Assist Nonfederal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities Under the Cybersecurity Information Sharing Act,” which clarifies that the Act’s liability protections extends to sharing between nonfederal entities. Mr. Clancy also testified that DHS and DOJ should provide additional guidance on the definition of personally identifiable information (“PII”) given tension between definitions in DHS’s Automated Indicator Sharing (“AIS”) program guidance and with respect to other DHS programs.
Finally, Ms. Sage discussed in her testimony the issue that many small businesses are unaware of the Act. Currently, the Act is largely of interest to major corporations with greater infrastructure and resources. She believes the government can increase awareness of the law through its existing outreach programs.
Over 50 private companies and 24 federal agencies share critical information in the DHS National Coordination Center. In the hearing, the witnesses congratulated the DHS for the job they have done to date on the implementation. The main concerns brought forward during the hearing addressed the need for clarification on a few points in the Act and the need for increased awareness about the value of working with the DHS.
Witness prepared testimony and an archived webcast of the hearing can be found on the House Homeland Security website here.
Reporter, Jennifer Raghavan, +1 415 318 1234, jraghavan@kslaw.com
