Private firms should not have to choose between sharing cyber-threat information & regulatory backlash.
By Senators Kay Bailey Hutchison John McCain & Saxby Chambliss
Texas Insider Report: WASHINGTON D.C. One week after Democrats at their Charlotte N.C. National Convention called for an open Internet that fosters innovation and investment
the Obama 
Administration is readying plans to tighten the governments grip. The White House is preparing
an Executive Order on cybersecurity that unilaterally imposes more mandates and regulations on the private economy.
Cybersecurity is a priority but anything less than a strong information-sharing bill based on policies that enhance national security and the economy will fall short. The Senate needs to follow the lead of the House and pass a bipartisan bill that includes clear authority to do so and provides liability protections to allow the private sector and government to better share cyber-threat information.
American industry faces a growing cyber threat from domestic and more frequently global actors. Vital industries such as communications energy and transportation confront these threats in a number of ways including by working with the government and its federal network of cybersecurity centers.
While these efforts are invaluable more can be done.
Over the last nine months Congress has devoted considerable attention to crafting strong cybersecurity legislation. Recognizing the need for consensus weve been working through the
summer to resolve fundamental differences between the two primary Senate bills: the SECURE IT Act which we co-sponsored and the Cybersecurity Act of 2012.
Yet now it appears
the Obama Administration is set to act on its own.
Thats the wrong solution because it cannot fully address the one area most critical to improving cybersecurityenhancing the sharing of cyber-threat information among private firms and with the government. This type of information sharing such as a company informing the government of malicious network activity provides the government with a clearer view of the threat picture and allows network operators to identify and take steps to prevent attacks.
Today sharing is significantly constrained because of legal hurdles. These include antitrust laws that preclude companies from working together to prevent cyber threats and statutory limitations on when and what kind of information can be shared with government.
Companies must first check with their lawyers before sharing information for fear of litigation not just from customers or shareholders but from federal and state governments as well. The net impact is that
critical cyber-threat information is not shared in a timely manner or worse not shared at all.
Responsibly removing these legal hurdles is at the core of
the SECURE IT Act which provides essential liability protections for companies that share cyber-threat information. These new statutory protections would drive information sharing and significantly improve our nations cybersecurity. Because these protections require changes to existing law the most basic cybersecurity needs cannot be accomplished by executive order alone.
Theres another downside to an executive order. Unilateral action in the form of government mandates on the private sector creates an adversarial relationship instead of a cooperative one.
For years the federal government has invested heavily in six cybersecurity centers that operate within various agencies across the federal government. They offer unique capabilities and benefits. Over time different companies and industry sectors have developed mutually beneficial relationships with these centers. This cooperation and flexibility is critical and should be encouraged not disrupted by adding new layers of bureaucracy at the Department of Homeland Security as will likely occur with an executive order.
If we are serious about improving information sharing we must encourage candid dialogue between the
government and business. This will not occur unless we also ensure that the information the federal government receives isnt then used to impose new and extraneous regulations. Businesses should not have to choose between sharing cyber-threat information and facing a regulatory backlash.
Finally once the government receives cyber-threat information it must be allowed to use it. This can be done while ensuring strong privacy protections are in place. Cybersecurity and privacy protections can and should coexist. Privacy protections are best achieved by clearly defining what the private sector may share with the government and by requiring strong oversight.
What the country cannot afford is to build bureaucratic walls around information once it is shared with the federal government. The 9/11 Commission was clear about providing government agencies with the ability to speak to each other about the threats facing all aspects of our security.
Yet the Cybersecurity Act of 2012 would in effect re-erect these walls by prohibiting cyber-threat information shared with the federal government from being used for non-cyber related national-security purposes such as information that could provide an early warning of a terrorist attack long before it becomes imminent. This limitation could mean that our law enforcement and intelligence agencies may not have access to all the information needed to keep this country safe.
Any government measures on cybersecurity will have a significant impact on the countrys security and economic welfare. Skirting congressional action by issuing an executive order is
neither appropriate nor effective.
The democratic process ensures that Congress and the president work together while listening to all those affected by their actions to find the solution thats in the best interests of the American people. We call on the president to follow this process and work with Congress to pass sound cybersecurity legislation.
Sens. McCain Hutchison and Chambliss are respectively the ranking Republicans on the Armed Services Committee Commerce Committee and Intelligence Committee.
