America's New Cybersecurity Agency Can't Function Without CISPA

​The US government has a new agency to counter cyber threats at its disposal: the Cyber Threat Intelligence Integration Center. The agency's purpose is to streamline the US intelligence community's cybersecurity strategy by collecting information from military sources and private companies—an undertaking that will largely rely on problematic legislation that doesn't yet exist.

During a press conference at the Woodrow Wilson Center today, Lisa Monaco, assistant to the president for homeland security and counterterrorism, stressed that sharing information with private companies is critical to preventing cyber attacks. Congress must work bipartisanly, she said, to pass legislation that provides companies with legal protection when it comes to sharing customer information with the government.

"We're really hoping we can galvanize Congress to act," Monaco said. "We're going to have to work in lockstep with the private sector. Partnership is a precondition to success; there is simply no other way to combat such a complicated problem."

The Cyber Threat Intelligence Integration Center will be governed by the Office of the Director of National Intelligence, an agency that oversees the NSA, CIA, FBI, and intelligence programs in other government agencies.

While the bill was not mentioned by name, Monaco was likely referring to the Cybersecurity Information Sharing and Protection Act (CISPA), a controversial bill reintroduced in January that would allow the government to share information about potential cyber attacks with private companies, and vice-versa. The Act would protect private companies from legal sanctions if they share information with the government, even if it contains private information.

Congress has yet to vote on the legislation, but, in the past, the bill has passed the House of Representatives before being killed by the Senate.​

Civil liberties organizations have spoken out about the risks inherent in a bill that legally protects companies when they share customer information with the government. "CISPA would encourage the open sharing of personal data with nearly no privacy protections—a profound abuse of users' rights," Drew Mitnick, a lawyer with Access, told Motherboard in January. "It would create yet another surveillance regime."

The Cyber Threat Intelligence Integration Center will have an international focus, Monaco said, although whether the agency will also target domestic hackers (and thus collect information about US citizens) has yet to be determined.

"It's hard to divide [domestic and international attackers] these days," said Megan King, Strategic and National Security Advisor to the President and CEO of the Wilson Center. "I think that's going to be a major question that Congress asks: How are we going to codify the center if we don't know if it's all domestic, or all foreign, or a mixture of both?"
​
​​"There are some pretty sticky legal issues that are going to come out of this," King continued.

Much of the Cyber Threat Intelligence Integration Center's mandate will need to be determined by Congress, King told me. An executive order spelling out agency's duties will be signed and released by President Barack Obama on Friday at Stanford University's White House Cyber Summit.

Even so, it appears that the Cyber Threat Intelligence Integration Center's planned activities require a legal framework that would allow private companies to share customer information without legal repercussions—a set of circumstances that would only be possible, at the moment, if CISPA is passed by Congress. The establishment of the agency constitutes both leverage and a wager: It needs CISPA to exist, and thus CISPA must.