Cybersecurity legislation still draws intense opposition

Efforts to craft legislation that would promote sharing cyberthreat information between the private sector and government – without jeopardizing privacy, civil liberties and leaving organizations vulnerable to liability – isn’t there yet, according to critics.

Five bills aimed at governing the sharing of cyberthreat information have been proposed in the current session of Congress. Technically, only two are now pending, but that’s because two in the House and two in the Senate were combined. 

The House bills – originally labeled H.R. 1560, Protecting Cyber Networks Act (PCNA); and H.R. 1731, the National Cybersecurity Protection Advancement Act of 2015 (NCPAA) – both passed the House during the week of April 20 and were then combined, with the PCNA becoming Title I and the NCPAA Title II of H.R. 1560. 

According to the Congressional Research Service (CRS), both Titles of the combined House bill have several things in common. They both include the following:

  • Focus on the sharing of cyberthreat information within the private sector, and between the private sector and government.
  • Create a structure for the information-sharing process.
  • Address issues like privacy, civil liberties and the liability risks of private-sector sharing. 

However, they differ in how they define some common terms, such as “cyberthreat indicator,” and also in what roles the Department of Homeland Security (DHS) and intelligence agencies will play, the uses permitted for shared information and reporting requirements. 

Privacy remains a hot issue 

The involvement of intelligence agencies and permitted uses of threat intelligence are particularly hot button issues for privacy advocates, who argue that the bills should more specifically restrict the use of the information to investigate only crimes involving cybersecurity. 

Ari Schwartz, director of Cybersecurity, National Security Council at the White House, said in a presentation at the recent Senior Executive Cyber Security Conference at Johns Hopkins University in Baltimore, that the current House bills address those complaints, with “minimization” of the collection of personally identifiable information (PII) and restricting the use of all shared information to cybersecurity. 

But he said liability protections had become too expansive. Indeed, the White House, in a “Statement of Administrative Policy” in April, said what it called “sweeping” liability provisions, “should not grant immunity to a private company for failing to act on information it receives about the security of its networks.” 

The statement also called for amendments to the bill that would, “ensure that information is not shared for anticompetitive purposes.” 

Finally, it expressed concerns about H.R. 1560 authorizing “potentially disruptive defensive measures” – what many in IT call “hacking back” against attackers. The White House said such measures, “without appropriate safeguards raises significant legal, policy, and diplomatic concerns and can have a direct deleterious impact on information systems and undermine cybersecurity.”

But Schwartz, as the White House representative, said he thought those flaws could be addressed in committee. 

Bill stalls, faces long debates

In the Senate, S. 754, the Cyber Information Sharing Act (CISA) and S. 456, The Cyber Threat Sharing Act of 2015 (CTSA), have been combined under S. 754. That bill is currently stalled in the Senate.

Its fate is very much uncertain. Anton Dahbura, of the Johns Hopkins University Information Security Institute, referring to a story in The Hill, told conference attendees that Senate Intelligence Chairman Richard Burr (R-N.C.) had said it could be well into October before it’s taken up again.

Even then, it could be debated to death, as was the case with bills proposed three years earlier. Dahbura said the bill already has a slate of 22 amendments pending. 

The bill has the declared support of the White House, and Schwartz said he thought the Senate bill had improved on earlier efforts, both in the protection of PII and better limitations on the allowed uses of information. 

“We think if both bills pass, we can address the remaining problems in the conference committee,” he said. 

But there is intense opposition to S. 754 from civil liberties and privacy advocates, and even from the DHS, which, in a letter to Sen. Al Franken (D-Minn.), warned that the sharing provisions of the bill, “could sweep away important privacy protections.” 

And on the private-sector side, 40 organizations and 31 individuals signed a letter to the president, contending that S. 754 would violate the administration’s own stated priorities to, “preserve Americans’ privacy, data confidentiality and civil liberties and recognize the civilian nature of cyberspace.” 

Bruce Heiman, a partner at K&L Gates, who spoke at the conference on the legal implications of the pending legislation, said there are more risks than benefits to the private sector from such sharing.

But he said whatever the final form of the legislation, it should be scrutinized with at least the following questions:

  • What kind of information will be shared?
  • Will PII be scrubbed?
  • What departments of the government will receive data from the private sector, and what other departments will they share it with? Heiman said DHS, as a civilian agency, should be the “central portal” for the collection of information. The “key issue” after that, he said, is whether it would then be shared with law enforcement or intelligence agencies like the Department of Defense or NSA.
  • What can the information be used for?
  • What legal liability protections does it provide to the private organizations that share threat information?

Join the CSO newsletter!

Error: Please check your email address.

More about BaltimoreBillNational Security CouncilNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place