Homeland Security Committee’s Cyber Bill a Missed Opportunity

Greg Nojeim, Senior Counsel and Director of our Freedom, Security and Technology Project, guest wrote for Lawfare, a site published by the Lawfare Institute in cooperation with the Brookings Institute. It’s solely dedicated to “that nebulous zone in which actions taken or contemplated to protect the nation interact with the nation’s laws and legal institutions.” We’ve published the first few paragraphs here – click below for the full text.

Homeland Security Committee’s Cyber Bill a Missed Opportunity

Today, the House Homeland Security Committee marked up a cybersecurity information sharing bill that promised to be “the best of bunch” in terms of civil liberties protections among the cybersecurity information sharing bills that Congress is currently considering. Unfortunately, the bill misses the mark in a key respect.

The problem starts with the fact that like the other pending bills, the National Cybersecurity Protection Act (NCPAA, H.R. 1731), would authorize companies to share cybersecurity threat indicators “notwithstanding any law” – a problematic approach that is sure to have unintended consequences. Like the other bills, “cyberthreat indicators” are broadly defined in Section 2 of the bill to permit flexibility as technology changes and the information needed to be shared to counter cyber attacks evolves.

To compensate, partially, for the risk to privacy that comes with a broad definition of the information that can be shared “notwithstanding any law,” cybersecurity information sharing legislation can put strict limits on the purpose for which information is shared and on the use of that information. It is in establishing those strict use and purpose limitations that the NCPAA falls short.

Full text here.