"I believe in security apparatus for every nation," Carter said. "But what you are defending is as important as how you defend it. We are destroying America by doing things that undermine our essentials. Don't destroy the object you're trying to protect."
Ari Schwartz, director of cybersecurity for the National Security Council at the White House, was one of the few advocates for the pending legislation, though he acknowledged that past efforts have not included adequate privacy or liability protections. He argued that privacy and security don't have to be at odds.
"The goal of government is to do both at the same time," Schwartz said, "and 99% of the time, it's not a problem. It's mutually reinforcing. You can't really have privacy without security."
Given the lack of action in Congress over the past four years, President Obama has issued executive orders promoting best security practices, he said, especially in the nation's critical infrastructure and the voluntary sharing of threat information.
That led to DHS building an automated information-sharing platform that, "contains the same language that banks, energy companies use to share information," and limits the collection of PII. "There's no way to share name, addresses, etc.," he said.
Those orders, he said, have already led to better risk management and incident response.
Schwartz contended that the bills in Congress are better than earlier ones and warned that said some liability protections go too far. "There can't be blanket liability protection," he said. "We don't want it for those who don't take action on threat information."
Bruce Heiman, a partner at the law firm K&L Gates, offered up a short list of reasons why companies should trust government enough to share information, including its capacity to provide threat information and foreign intelligence, and its power to pursue cybercriminals.
But he had a much longer list of reasons why it could be risky, including:
- Loss of control of the investigation and response
- Damage to reputation Regulatory enforcement - both civil and criminal
- Actions by state attorneys general
- Civil class action suits by those whose data is compromised and/or by shareholders
- Congressional investigations
The way to get the benefits without suffering the risks, he said, is to, "provide protection to companies to incentivize the voluntary sharing of information."
As both Greene and Schwartz noted, voluntary information sharing is already happening. Michael Echols, of the DHS Office of Cybersecurity and Communications, said his agency's information-sharing hub, "shared 97,000 indicators in 2014 - half from malware and issues that we knew about five years ago - and turned reports into actionable alerts - 12,000 of them in 2014."
Adding support for information sharing was Curtis Levinson, U.S. cyber defense adviser to NATO. He called himself a "huge fan" of the effort, and noted that he is working on a threat information sharing system, "with 28 countries that don't like or trust each other, but are allies in this area."
Sign up for CIO Asia eNewsletters.