“I do have a high degree of confidence that this information will be well protected and shared at the appropriate levels,” Rep. Jim Langevin (D-R.I.) told the Daily Dot on Friday, pushing back on privacy groups’ criticisms of the Cybersecurity Information Sharing Act.
The House passed two companion bills several months ago, but CISA, the Senate’s version of legislation to let businesses share cyber-threat data with the government, has languished in the upper chamber due to objections from privacy-minded lawmakers.
Langevin, who co-founded the Congressional Cybersecurity Caucus in 2o08, dismissed concerns about Americans’ private information appearing in shared data and objected to the notion that the government should bolster its cybersecurity before enacting an information-sharing law. In an interview with the Daily Dot, Langevin argued that CISA would “ensure that we are better protected than what we are right now.”
How big of a deal is information sharing in the overall cybersecurity picture?
Rep. Jim Langevin: I think it’s a major step forward in ensuring stronger cybersecurity protection. Again, I’ll reiterate, as I have said before, that it’s not a silver bullet, it’s not going to be the be-all and end-all. But it is a major step forward, a major arrow in our quiver. Right now, in many ways, many are blind to the vulnerabilities that exist out there. If we can share information broadly and preferably at network speed, then we’re going to be far better protected than we are today. I’m pleased that the Senate is moving forward with legislation, as I understand it. I look forward to hopefully seeing it pass the Senate soon and getting it to conference and ultimately to the president’s desk.
How active was the Cybersecurity Caucus in lobbying for House passage of the two companion bills?
No, I wouldn’t say I was actively… the issue was on the docket, people knew what it was, it was… Certainly, I was encouraging people to support it. But the Caucus didn’t play any formal role in moving the legislation forward.
What is your response to civil-liberties groups that say the privacy protections in CISA are too weak, that personal information could be shared without proper protections, and that there’s no reason to trust the Department of Homeland Security to safeguard it from hackers?
Well, I know that both of the House bills—and the Senate bill—have been actively engaged with the privacy and civil-liberties community. This legislation is very well crafted, well balanced, and there are more-than-adequate protections on protecting privacy and civil liberties. We need to make sure that we are always considering privacy and civil-liberties protections whenever you’re talking about information sharing. But the bill, for example, requires that we strip personal information before sharing. This is specifically about sharing cyber-threat information. It can only be used for cybersecurity purposes.
Why should Americans trust DHS, or any government agency, to be a secure repository for threat data that could—if the scrubbing isn’t complete—include personal information?
I do have a high degree of confidence that this information will be well protected and shared at the appropriate levels. Any private information is going to be stripped out before sharing.
I certainly understand that that’s the goal, but critics have said that there’s no reason, after all the government’s other cybersecurity failures, to trust that the scrubbing will be complete. But it sounds like you’re confident that there won’t be those issues.
One of the apparent sticking points over CISA is whether DHS should share information it gathers from the private sector in real time or in near-real time, the latter of which would allow it to scrub personal information. What strikes you as the better process?
I want us to do this in as near-real-time as possible, with the requirements of the legislation being carried out, again, to strip private information from the data.
What’s your message for Sen. Ron Wyden, the Senate’s chief CISA critic, who has said that we should plug security holes before we throw more data into potentially vulnerable systems? Is that a valid point, or can we do those two things separately?
I think you can do them simultaneously. They can certainly be done in tandem. They’re not mutually exclusive.
“This legislation is very well crafted, well balanced, and there are more-than-adequate protections on protecting privacy and civil liberties.”
So you’re not worried about doing this first without an assessment of the system that we’re putting data into? Or do you believe that the system is ready and capable of securing this data?
I think that the system is ready. I don’t think that we need to wait for the perfect time to do this. The urgency is now. We can see clearly that the adversaries, the perpetrators of cyberattacks and cyberintrusions, are winning in this effort and winning this battle. We need the proper tools and mechanisms in place to ensure that we are better protected than what we are right now. This information-sharing [legislation] will be a major step forward.
Have you tried to reach out to privacy groups and explain your view of this legislation?
Yes, my staff and I have been in contact with privacy and civil-liberties groups. But even more importantly, the sponsors of the legislation and the committees have been in contact routinely with privacy and civil-liberties groups. Their input’s important. The White House has been engaged with privacy and civil-liberties groups, and the sponsors of the legislation have been engaged with the privacy and civil-liberties groups and with the White House as well. This has not happened in a vacuum. They’ve had more than adequate opportunity to give their input, and in many ways, the privacy and civil-liberties protections that have been built into this are the direct result of that.
I would also say that the privacy and civil-liberties protections that are in the House bill are certainly stronger than CISPA in the past.
Have you been involved at all in the Senate process for CISA?
The Senator that I’ve been engaged with is Sen. Sheldon Whitehouse. He’s a member of the Senate Judiciary Committee and he’s very involved with this legislation and negotiations to bring it to the floor. I was just on the phone, as a matter of fact, with Sen. Whitehouse last night, and he gave me a realistic but optimistic view that we could have this legislation—that the Senate would be taking up this legislation hopefully before the end of the year. In fact, what he shared with me is that there has been an agreement worked out on amendments—which ones have not yet been agreed to, and which [ones] would have to be taken up for debate in a vote. He said that unanimous-consent agreement is rare these days and was very encouraging—that it meant that the legislation would be moving forward.
“We can see clearly that the adversaries, the perpetrators of cyberattacks and cyberintrusions, are winning in this effort and winning this battle.”
Now, it doesn’t mean that some of these amendments—they could still be filibustered or what have you, and [that] may slow the process down. But he’s more optimistic than less optimistic that we’ll see this bill taken up sooner rather than later.
In fact, as I understand it, there’s only one other major piece of legislation that is pending out there, that the Senate has to deal with, that would be taken up before [CISA]. Again, that’s the only major thing, other than, obviously, the appropriations bills and such. But I don’t expect to see those being passed, because of the White House position that the appropriations bills would not be supported unless we have a more comprehensive plan and that it is adequately funding the government.
House Republicans are struggling to pick a new speaker. Several of the candidates, including House Oversight Committee Chairman Jason Chaffetz, have made cybersecurity a top priority. Do you have thoughts on which of the cyber-focused candidates would bring the best leadership to that issue?
I wouldn’t have a recommendation there as to [which] of the candidates … would be a good fit right now. It is so fluid on the Republican side right now. I don’t even know who the candidates ultimately will be. The Republican Caucus was meeting about that today. They are clearly in disarray after Majority Leader McCarthy’s decision not to seek the [speakership]. We’ve heard several names mentioned now, but it’s unclear actually who the candidates will be at this point.
Are you concerned about the effect of the speakership turmoil on a possible Senate–House conference to resolve differences between CISA and the House bills?
Well, they don’t have a speaker. That’s a problem. That’s going to delay everything. But eventually this will get worked out, whether they have an interim speaker or whether they find consent behind someone that’s permanent.
I remind you that the House information-sharing bills passed with overwhelmingly strong majorities—over three hundred [supporters] on each vote, as I recall. So there’s strong support for seeing information-sharing legislation move forward in the House. Whoever the next speaker’s going to be is, hopefully, going to be mindful of how strongly both of those bills passed.
Photo via Dave Herholz/Flickr (CC BY SA 2.0)