The Cipher Brief spoke with Raj De to discuss the Cybersecurity Information Sharing Act (CISA). Mr. De recently served as the General Counsel at the National Security Agency, after holding senior appointments in the White House and the Department of Justice. He is currently a partner at Mayer Brown, where he leads the firm’s global Cybersecurity and Data Privacy practice.
The Cipher Brief: Why is information sharing between the private sector and the government so important?
Raj De: Information sharing is an important element of a comprehensive cybersecurity approach because most of the relevant telecommunications infrastructure is privately owned and operated. Both the government and the private sector have unique windows into the cyber threat landscape, but neither the government nor any individual private entity has the complete picture. Moreover, real-time information sharing between the government and the private sector – and within the private sector – is all the more important when we have such a rapidly evolving cyber threat environment.
TCB: Some opponents of the legislation, and critics of the issue generally, argue that CISA may not affect the key behaviors that cause cyber problems. How effective is information sharing at promoting stronger cybersecurity?
RD: Cybersecurity is as much a human challenge as it is a technical one, but information sharing is an important element in taking a comprehensive and strategic approach towards this complex set of challenges. This is, of course, is going to require a multi-layered approach with various building blocks, but efforts to address other challenges will naturally be less effective without a more complete and holistic picture of the threat landscape. Information sharing should not be held up as a panacea for this array of challenges, but there is no single silver bullet when it comes to cybersecurity.
TCB: There have been some concerns that CISA would result in information overload, making it difficult for the government to process and disseminate all the threat information it would be receiving. Is there sufficient government capacity in this area to allow for the benefits you have described?
RD: Scaling any sort of project like this going to be a challenge, but it’s necessary. And, to the credit of the executive branch, there have been efforts in this regard and there are some mechanisms in place. There is no doubt that it is going to be a challenging future, but that is no reason not to embark on it now as opposed to later.
TCB: What would you say to the opponents of CISA who have privacy and civil liberties concerns about the legislation? Are those concerns valid?
RD: Privacy and civil liberties are very legitimate considerations as we think about the future of cybersecurity. However, I think it is important that we not allow the quest for perfection to be the enemy of the good when it comes to any legislation. After the spate of highly publicized cyber events over the past several years, I think there is definitely a bipartisan consensus coalescing around the need for legislation to encourage information sharing. Of course, there would be appropriate restrictions on what can be shared with the government, with whom it can be shared, under what conditions, and so forth. A great deal of progress has already been made towards resolving a lot of those challenges, and the time to resolve those final details is definitely now.
TCB: Why is it important for this to be done through legislative action?
RD: The legal framework under which the private sector can share cyber threat information is important for improving our shared understanding of the threat. The worst thing for business is uncertainty, and the worst kind of uncertainty is legal uncertainty. So appropriately crafted voluntary information sharing legislation could help reduce legal uncertainty, at least in some respects.