Legislation to promote information sharing for cybersecurity purposes was marked up and reported out favorably – and unanimously – on February 1 by the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies. The bill, sponsored by subcommittee chairman Dan Lungren (R-CA) and formally titled the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act (PRECISE Act, H.R. 3674), balances cybersecurity, innovation, industry and civil liberties concerns, and CDT supports the legislation. I testified about a draft of the bill in December. Amendments adopted by the Subcommittee further improved the bill. In our view, the Lungren bill is far preferable to the Cyber Intelligence Sharing and Protection Act (CISPA, H.R. 3523) reported in December by the House Permanent Select Committee on Intelligence.
There is widespread agreement that ISPs and other operators of computer networks need clearer legal authority in order to be able to share with each other – and with the government – signatures and other information about suspected attacks on their networks. However, since we are talking about privately-owned and operated networks that carry personal communications, any sharing of information must be carefully controlled.
The core provisions of the PRECISE Act would promote information sharing for cybersecurity purposes by creating a narrow cybersecurity exception to all potentially applicable laws, including all privacy laws. The Act would establish a non-profit, quasi-governmental National Information Sharing Organization to serve as a national clearinghouse for the voluntary exchange of “cybersecurity threat information,” taking in reports, and sharing them back out, among the federal government, state and local governments, and industry. We believe that NISO, a privately-run information sharing hub, is likely to be more effective at quickly responding to cybersecurity threats – and would pose fewer civil liberties risks – than would a government-run information sharing hub. While the NISO board of directors would have governmental representatives and representatives of privacy interests, it would be dominated by industry.
The bill promotes information sharing while protecting privacy and civil liberties by:
- carefully defining the types of cyber threat information that can be shared through the clearinghouse;
- specifically requiring that personally identifiable information not necessary to describe a cyber threat may not be shared with and by the clearinghouse;
- restricting to cybersecurity purposes the use and disclosure of the information shared with and by the clearinghouse;
- creating a limited private right of action for persons injured by the disclosure or use of information for other than cybersecurity purposes when such conduct is willful or intentional, and is not in good faith;
- limiting law enforcement use of information shared for cybersecurity purposes to prosecute only cybersecurity crimes, thus helping to ensure that cybersecurity information sharing does not become a back door wiretap or surveillance program;
- avoiding giving the government authority to shut down or limit Internet traffic in a cybersecurity emergency; and
- cementing DHS as the lead federal agency for cybersecuirty for the civilian government and private sectors, instead of putting the National Security Agency or DOD’s new Cybercommand in this role.
This approach is far preferable to the one taken in the Cyber Intelligence Sharing and Protection Act, H.R. 3523 about which I blogged in December. Both bills would invite elements of the intelligence community to share classified threat information with cleared companies. But CISPA creates uncertainty for companies, and threatens privacy, by vaguely defining the information that can be shared. CISPA fails to specify that only information pertaining to a known or suspected attack or attack probe can be shared. Therefore, broadly read, CISPA could permit the sharing of an entire communications stream or all of the traffic over a system. CISPA also threatens privacy by failing to limit use of the information shared to a cybersecurity purpose. As amended, once a governmental agency puts to any national security or cybersecurity purpose the communications information it receives under the bill, it can then use those communications for intelligence surveillance, the investigation and prosecution of any crime, and for any other non-regulatory purpose. Moreover, unlike the PRECISE Act, the structure and incentives in the CISPA bill raise a very real possibility that the NSA or DOD’s Cybercommand would become the primary recipient of communications information shared by ISPs and others in the private sector. This would permit a radical change in national cybersecurity policy from civilian control to the military.
Congress needs to make a choice: cybersecurity information sharing should be about protecting computers against cyber attacks – it should not also be a back door wiretap and intelligence surveillance tool. By failing to include a meaningful restriction on use of cyber threat information shared with the government, and by failing to make it clear that DHS will remain the focal point of civilian cybersecurity efforts, CISPA invites abuses that protections in the PRECISE Act should prevent.
In addition to facilitating information sharing, the PRECISE Act will also help companies and the government do a better job of protecting their networks, but without the heavy handed approach that has characterized cybersecurity legislation in the Senate. The regulatory framework in the PRECISE Act has a light touch, risk-based approach more likely to protect innovation than its Senate counterparts, the Cybersecurity and Internet Freedom Act (S. 413, 112th Cong.) and the Cybersecurity Act (S. 773, 111th Cong.) The PRECISE Act would authorize DHS to work with the private sector and regulatory agencies to identify internationally recognized, consensus developed risk-based performance standards to address cybersecurity risks. DHS would then work with existing regulatory agencies to include risk-based performance standards in the regulatory regimes applicable to the covered critical infrastructure, thus ensuring that companies are not put in the middle between a DHS requirement and a different requirement imposed by a company’s regulatory agency. This approach seems more likely to protect cybersecurity innovation than the more directive approach that has to date characterized the Senate bills.
The PRECISE Act is a welcome addition to the growing constellation of cybersecurity bills pending in Congress. While the bill is not perfect and CDT will be working to further improve the legislation, it is off to an excellent start.