The McCain bill defines “cybersecurity center” as the Department of Defense Cyber Crime Center, the Intelligence Community IncidentResponse Center, the United States Cyber Command Joint Operations Center, the National Cyber Investigative Joint Task Force, the NationalSecurity Agency/Central Security Service Threat Operations Center, [and] the National Cybersecurity and Communications Integration Center, andany successor center.” Sec. 101(5)
Lungren, H.R. 3674 Rogers, H.R. 3523 Lieberman, S. 2105 McCain, S. 2151Method of sharing?
Establishes a non-profit,quasi-governmental entity – the National InformationSharing Organization(NISO) -- that wouldserve as a clearinghousefor the exchange of cyberthreat information. NISO
sboard of directors wouldbe dominated by industry,with government andprivacy interests also atthe table. Sec. 241Allows for privatecompanies andgovernment agencies toexchange informationdirectly for anycybersecurity purpose.Companies would choosethe agency or agencieswith which they wouldshare information andcould also shareinformation directly witheach other. The billcreates no clearinghouse.Sec. 1104(b)(1)Cyber threat indicatorsmay be shared throughDHS-designated federalor non-federal exchangesor directly amongcompanies. Since liabilityprotection for privatecompanies only appliesfor information sharedwith an exchange,companies will bedisinclined to sharestrictly with each other.Secs. 702, 703Allows for privatecompanies to exchangeinformation with eachother and with existingcybersecurity centers.
Sec. 102(a)(2). Federalcontractors providingcertain IT services to thegovernment would be
to discloseinformation. Sec. 102(b)
Does the billpromote transfer ofcybersecurityauthority fromcivilian to militarycontrol by permittingprivate civilianentities to sharecommunications infowith NSA?
No. Wisely cements DHS,a civilian agency, as thelead federal agency forcybersecurity.Information sharingauthorized in the billwould go through aprimarily private entity.Yes. The bill creates areal possibility that amilitary agency, such asNSA or DOD
s CyberCommand, would takethe lead. Informationsharing is authorizedthrough amendment toTitle 50 of NationalSecurity Act, rather thanthrough amendment ofcivilian homeland securityauthorities.Unclear. The bill requiresDHS, the AG, ODNI, andDOD create a process fordesignating cyberexchanges. The leadfederal cyber exchangecould be NSA, CyberCommand, or a DHSentity, but DHS is the leadexchange for up to 60days until thisdesignation. Other federalexchanges could becivilian or military. Sec.703(c) and (d)Yes. Goes beyond evenRogers by allowing cyberinformation to be sharedby civilian private entitieswith a host of governmentcybersecurity centers, themajority of which aremilitary.