Five bills aimed at governing the sharing of cyberthreat information have been proposed in the current session of Congress. Technically, only two are now pending, but that’s because two in the House and two in the Senate were combined.
The House bills – originally labeled H.R. 1560, Protecting Cyber Networks Act (PCNA); and H.R. 1731, the National Cybersecurity Protection Advancement Act of 2015 (NCPAA) – both passed the House during the week of April 20 and were then combined, with the PCNA becoming Title I and the NCPAA Title II of H.R. 1560.
According to the Congressional Research Service (CRS), both Titles of the combined House bill have several things in common. They both include the following:
- Focus on the sharing of cyberthreat information within the private sector, and between the private sector and government.
- Create a structure for the information-sharing process.
- Address issues like privacy, civil liberties and the liability risks of private-sector sharing.
However, they differ in how they define some common terms, such as “cyberthreat indicator,” and also in what roles the Department of Homeland Security (DHS) and intelligence agencies will play, the uses permitted for shared information and reporting requirements.
Privacy remains a hot issue
The involvement of intelligence agencies and permitted uses of threat intelligence are particularly hot button issues for privacy advocates, who argue that the bills should more specifically restrict the use of the information to investigate only crimes involving cybersecurity.
Ari Schwartz, director of Cybersecurity, National Security Council at the White House, said in a presentation at the recent Senior Executive Cyber Security Conference at Johns Hopkins University in Baltimore, that the current House bills address those complaints, with “minimization” of the collection of personally identifiable information (PII) and restricting the use of all shared information to cybersecurity.
But he said liability protections had become too expansive. Indeed, the White House, in a “Statement of Administrative Policy” in April, said what it called “sweeping” liability provisions, “should not grant immunity to a private company for failing to act on information it receives about the security of its networks.”
The statement also called for amendments to the bill that would, “ensure that information is not shared for anticompetitive purposes.”
Finally, it expressed concerns about H.R. 1560 authorizing “potentially disruptive defensive measures” – what many in IT call “hacking back” against attackers. The White House said such measures, “without appropriate safeguards raises significant legal, policy, and diplomatic concerns and can have a direct deleterious impact on information systems and undermine cybersecurity.”
But Schwartz, as the White House representative, said he thought those flaws could be addressed in committee.
Bill stalls, faces long debates
In the Senate, S. 754, the Cyber Information Sharing Act (CISA) and S. 456, The Cyber Threat Sharing Act of 2015 (CTSA), have been combined under S. 754. That bill is currently stalled in the Senate.
Its fate is very much uncertain. Anton Dahbura, of the Johns Hopkins University Information Security Institute, referring to a story in The Hill, told conference attendees that Senate Intelligence Chairman Richard Burr (R-N.C.) had said it could be well into October before it’s taken up again.
Even then, it could be debated to death, as was the case with bills proposed three years earlier. Dahbura said the bill already has a slate of 22 amendments pending.
The bill has the declared support of the White House, and Schwartz said he thought the Senate bill had improved on earlier efforts, both in the protection of PII and better limitations on the allowed uses of information.
“We think if both bills pass, we can address the remaining problems in the conference committee,” he said.
But there is intense opposition to S. 754 from civil liberties and privacy advocates, and even from the DHS, which, in a letter to Sen. Al Franken (D-Minn.), warned that the sharing provisions of the bill, “could sweep away important privacy protections.”
And on the private-sector side, 40 organizations and 31 individuals signed a letter to the president, contending that S. 754 would violate the administration’s own stated priorities to, “preserve Americans’ privacy, data confidentiality and civil liberties and recognize the civilian nature of cyberspace.”
Bruce Heiman, a partner at K&L Gates, who spoke at the conference on the legal implications of the pending legislation, said there are more risks than benefits to the private sector from such sharing.
But he said whatever the final form of the legislation, it should be scrutinized with at least the following questions:
- What kind of information will be shared?
- Will PII be scrubbed?
- What departments of the government will receive data from the private sector, and what other departments will they share it with? Heiman said DHS, as a civilian agency, should be the “central portal” for the collection of information. The “key issue” after that, he said, is whether it would then be shared with law enforcement or intelligence agencies like the Department of Defense or NSA.
- What can the information be used for?
- What legal liability protections does it provide to the private organizations that share threat information?