Who Do You Trust? Proposed Cybersecurity Bill Would Encourage Public-Private Cyber Threat Information Exchange by Providing Legal Immunity
“Who Do You Trust” was a 1950’s game show that required players to decide whether they could rely upon the information provided by their partners to win cash prizes of $25, $50 and $75. In today’s increasingly networked environment, there’s a lot more at risk in trusting another’s information about cybersecurity. Corporations and industries complain that they can’t trust the timeliness and accuracy of government information about cybersecurity. And cybersecurity experts point to distrust over the motives of the government and competitors as a bar to information sharing among private entities. But despite that, everyone agrees that information sharing would inure to the general benefit of all involved.
Rep. Daniel Lungren of California,Chair of the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the House Committee on Homeland Security, is aiming at impediments to cybersecurity data sharing in a bill introduced on Dec. 15, 2011. S. 3674, the ‘‘Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011’’ or the “PRECISE Act of 2011,” contains, among other things, a provision that would encourage corporate and industry participation in government sponsored cybersecurity programs by including legal exemptions and protections for private entity information-sharing. A copy of the bill as introduced is available here.
Lungren’s bill is one of a number of cybersecurity bills that have been proposed in the 112th Congress. Although news reports of cyber attacks by criminals, hactivists and foreign governments make headlines almost daily, none of the proposals has gotten as far as a floor vote. An administration-backed proposal by Senator Joseph Lieberman, S. 413, was the subject of a Senate committee hearing last May, but the bill hasn’t seen further action. S. 413 takes a regulatory approach that would entail the creation of a new federal cybersecurity entity empowered to adopt regulations covering certain private entities, and provide for civil penalties for noncompliance with cybersecurity requirements.
Lungren’s bill follows on the release of a report by the House Republican Cybersecurity Task Force in October that favors targeted and limited regulation, improved information sharing, and legal protections for sharing information.
A Voluntary Approach
The Lungren bill would create a National Cybersecurity Authority tasked with serving as a “focal point” for federal government cybersecurity efforts, including, among many other duties, the facilitation of cybersecurity information sharing among and between Federal and State agencies and local governments, the private sector, academia and international partners. From the government side, the Secretary of Homeland Security would be directed to share certain information concerning cybersecurity threats and mitigation efforts with Federal agencies, State and local government representatives and “appropriate critical infrastructure information systems owners and operators” (a defined category). The Authority would also be tasked with studying cybersecurity threats and risks, and compiling information about risk assessments and responses, among other things. But the bill confers no new regulatory authority.
National Information Sharing Organization Nonprofit
The Lundgren bill would also direct the creation of a cybersecurity nonprofit organization, a “National Information Sharing Organization,” that would facilitate the sharing of cybersecurity information provided by the private sector. One purpose of the proposed nonprofit would be to serve as a national clearinghouse for the exchange of cyber threat information between and among public and private entities. Designated Federal agencies would be required to participate in the nonprofit, but participation by other entities would be voluntary.
Like any nonprofit, a key element would be the composition of the Board of Directors. Significantly, the Board of the proposed NISO would be dominated by private sector representatives, and in particular, by commerce and industry representatives. The Board would include one representative of the Department of Homeland Security; four representatives from at least three different federal agencies with significant responsibility for cybersecurity; and ten representatives from the private sector, of whom two would be from the “privacy and civil liberties community.” The remainder of the Board would consist of ten representatives of the following “critical infrastructure sectors and subsectors” – banking and finance; communications; defense industrial base; energy and electricity; energy, oil and natural gas; health care and public health; and information technology.
Rulemaking
The Board of Directors would have the power to establish a charter setting out rules for information-sharing, including the treatment and ownership of intellectual property provided by or to the organization; limitations on liability, and “consideration of any necessary measures to mitigate antitrust concerns.” The charter would also cover such topics as privacy and civil liberties protections, public transparency and oversight, and security requirements for the handling of information received from private and governmental sources.
Liability Protection
A key element of the Lundgren bill is its exemptions from existing laws, including a blanket exemption from antitrust laws, and detailed provisions protecting against the disclosure or use of information provided to the proposed NISO.
Information shared with or provided to the proposed NISO, or to a federal agency through the nonprofit, would be exempt from disclosure under the Freedom of Information Act. Further, information shared with the proposed NISO could not be shared with any other federal or state entity, or with any third party in any civil action, without the written consent of the person or entity submitting the information. Similarly, such information could not be shared with any officer or employee of the United States unless to further the investigation or prosecution of a criminal act or to disclose to an appropriate Congressional committee. The exemption also contains parallel provisions pertaining to state and local government.
Pros and Cons
Representative Lundgren held a hearing on the the draft bill on December 6, 2011. The hearing included testimony in support of the bill from Symantec Corp., and Prof. Gregory E. Shannon of Carnegie-Mellon’s CERT cybersecurity entity. Testimony from the Congressional Research Service discussed the precedents for, and pros and cons of, the type of quasi-government entity envisioned by the draft bill.
Also speaking in support of the draft bill was the Center for Democracy and Technology, although that organization’s support was tempered by several privacy and data security-related concerns.
The CDT’s prepared testimony provides helpful comparisons between the draft bill, Sen. Lieberman’s S.413, and the Obama Administration proposal from which the Lieberman bill derives. The CDT pointed out that while private entities would share data anonymously through the NISO, any individual personally identifiable information included in the data they shared would not be required to be anonoymized or minimized. The CDT also criticized language in the exemptions provision of the draft bill that would appear to broadly encompass all existing federal privacy laws such as the Electronic Communications Privacy Act.
Prospects for Passage
Although both houses of Congress seem to agree that cybersecurity legislation is needed, their diametrically different approaches would have to be reconciled in order for such legislation to pass both houses. There doesn’t seem to be much chance of such a reconciliation as we move into an election year. Nevertheless, Sen. Harry Reid sent a letter on November to his Republican counterpart seeking bipartistan cooperation in advancing cybersecurity legislation.
