A law championed by Rep. C. A. Dutch Ruppersberger to get businesses and the government to share information about computer security threats has had limited impact so far because companies are reluctant to hand over data to the government, officials and corporate executives said Thursday.
About 50 companies and other organizations are getting cyber intelligence information from the Department of Homeland Security under the law, department official Greg Touhill said at an intelligence community conference. Only a single company is sending information to DHS.
Touhill, deputy assistant secretary for cybersecurity and communications, said the company that is sharing information has about 2,000 clients, so its effect is magnified. He declined to name the firm but said it's a cybersecurity company and plans to make a public announcement next week.
The law, called the Cybersecurity Information Sharing Act, was billed as a way to strengthen the nation's defenses against hackers, but its progress through Congress was arduous. Civil liberties advocates worried that it would open a back door for spying on Americans; business leaders worried about the implications of having to share information about attacks with the government.
Michael Allen, a former Republican congressional aide who helped shape the bill, said it appears that the business community's reluctance to share remains an obstacle.
It's also not clear how useful those companies that have signed up to receive information from the government have found it to be, he said.
Speaking on a panel that included executives from AT&T and Citibank, Allen said the depth of concern about the process was deeper than he had realized.
"I've heard even more skepticism up here than I thought I would have today," he said. "It worries me."
The idea behind the law is that most cyberattacks are against the private sector, where the government can't detect them, so information from companies could be useful intelligence. Attackers recycle tools and tactics, so if information about attacks were shared more widely, some could be prevented.
Chris Boyer, an executive at AT&T, said the company is still deciding whether it will participate. In most cases, AT&T would be sharing information about an attack on one of its customers, he said, something those customers would not necessarily be happy about.
"It's not in our nature to just push all the information out," he said. Companies have preferred to rely on private information-sharing arrangements among their industry peers, which can be controlled more closely.
Citibank executive James Katavolos said financial firms had similar concerns.
"I don't think it's ready as is right now for a majority of our sector to sign up," he said.
A spokeswoman for Ruppersberger said the Baltimore County Democrat is keeping an eye on how the law is being used, and has meetings with businesses scheduled to see how they like its provisions.
"We have heard anecdotally that there is definitely more information sharing going on," spokeswoman Jaime Lennon said. "DHS just issued its final guidance on 'how' to participate in June, so it's probably too early to assess progress."