Will voluntary cyber threat sharing plan cast doubt over CISPA?
Administration may expand DIB CS/IA program to companies, but experts say some legislation is still necessary
Thu, May 17, 2012
CSO — The Cyber Intelligence Sharing and Protection Act (CISPA) might be cast into doubt in the wake of a Department of Defense announcement last week that as many as 1,000 defense contractors -- and possibly thousands more -- may voluntarily join an expanded program of sharing classified information on cyber threats with the federal government.
The program, known as the Defense Industrial Base Cyber Security/Information Assurance, or DIB CS/IA, has been in a pilot phase for the past four years with only 37 contractors. The expansion, recently approved by the Obama administration, means about 8,000 contractors cleared to work with DoD intellectual property are being invited to participate.
Bloomberg BusinessWeek reports that if this expansion "proves successful in safeguarding defense contractors from cyber attacks, the administration may enlarge the program to companies in 15 other critical infrastructure categories through the Department of Homeland Security," Eric Rosenbach, deputy assistant secretary of defense for cyber policy, said.
This, if it works as expected, could prompt those arguing over CISPA, recently passed by the U.S. House, along with other similar pending legislation in Congress, to wonder how necessary it all is. Why mandate information sharing with the government if it can happen voluntarily?
[See also: CISPA enjoys wide backing from enterprises]
Jason Healey, director of the Cyber Statecraft Initiative of the Washington, D.C. think tank Atlantic Council, says while "there absolutely are similarities" between DIB and the various legislative efforts, that there are "lots of other bits" in those bills -- such as mandatory security standards. "Some legislation is necessary," he says.
Dan Philpott, an expert in federal cybersecurity and editor of FISMApedia, says DIB CS/IA is "a much lighter version" of CISPA. He says another reason the program could not replace cybersecurity law is because it is unlikely that anything close to 8,000 contractors will volunteer to enter it. He believes the DoD is being optimistic even with an estimate of 1,000. "I think they'd be happy with 500," he says.
Beyond that, there is debate over how worthwhile and effective DIB CS/IA has been and will be. There is broad agreement that the threat of cyberattacks is increasing at "a rapid and accelerating rate," in the words of Rear Admiral Samuel Cox, director of intelligence for the military's Cyber Command, at a forum last month.
And the goal of the DIB expansion is for more sharing of data between private defense contractors and the DoD's intelligence-gathering arm, the National Security Agency. Richard A. Hale, deputy chief information officer for cybersecurity, told the American Forces Press Service, "We started the program in an attempt to share cyber-threat data with these companies in a way that allowed the companies to act on that information immediately," and called it, "an important step forward in our ability to catch up with widespread cyber threats."