Wanted: Clean Bills on Data Breach and Cyber Intel Sharing
The answer to getting critical federal legislation governing data breach disclosure and cyber threat information sharing is clear – once Congress takes politics out of the equation.
There are few things that our elected representatives in Washington D.C. can agree on these days. Forget about hot button issues like reproductive rights or funding the social safety net. Even issues that were once rubber stamps – like federal highway funding – are the scene of internecine political feuds and struggles over narrow ideological issues.
Cyber security, however, isn’t one of those areas. In fact, there’s good news for folks who have been waiting for comprehensive cyber legislation. After long delays – years in some cases – cyber legislation is moving on Capitol Hill.
As I noted on Security Ledger, the House of Representatives Permanent Select Committee on Intelligence this week introduced the Protecting Cyber Networks Act, with bi-partisan support. The bill would allow private companies to voluntarily share what the bill calls “cyber threat indicators” with other firms and with the federal government. In a nod to our “Post Snowden” political environment, the bill states explicitly that the data would not go through the NSA or Department of Defense and the law will provide “strong protections for privacy and civil liberties,” according to a summary of the bill.
The other piece of legislation making its way through Congress is the Cyber Information Sharing Act of 2015 – or CISA for short. This bill, sponsored by Sen. Richard Burr (R-NC) was passed by the Senate Intelligence Committee in a 14-1 vote and is headed for a vote by the full Senate. The bill is intended to help companies address cyber threats by providing a legal framework for the government to share information about cyber threats with private companies and vice versa – all without the threat of lawsuit or liability.
Finally, the White House has issued its own plan – a legislative proposal for information sharing that presumably sends a signal to Congress about what the Obama Administration would like to see in any finished legislation.
The problem both of these bills are attempting to address is simple enough.
Companies want legal cover. They want to be able to share certain types of information that might be useful to others, but they want to do it without drawing attention or inviting lawsuits.
The federal government’s needs are straight forward, also. It would like better data on cyber incidents. Right now, many are not reported from private sector firms. And, given the huge slice of the nation’s critical infrastructure that is in private hands – from Wall Street trading firms to power plants – this represents a huge gap in the government’s understanding of cyber risk facing the country.
The problem? Washington D.C. lawmakers don’t seem to be able to come up with a “clean” bill on cyber security. Instead, time and again otherwise passable bills have gone off the rails: adding provisions that raise the ire of privacy advocates or the business community or both without doing much to actually boost cyber security.
Who do these provisions serve? It’s often hard to tell, but the specter of the U.S. intelligence communities – the NSA and CIA – loom large.
Take the two most recent bills: CISA and the Protecting Cyber Networks Act (PCNA). As the noted attorney Jennifer Granick points out in this post for the Center for Internet and Society at Stanford Law School, both the House and Senate bills – not to mention the White House plan – fail the civil liberties sniff test.
First, the bills go too far in waiving corporate liability for sharing otherwise federally protected personal information. Second, the bills offer few limits on the types of personal information that can be shared as part of cyber threat intelligence sharing – basically granting carte blanche to companies that have been attacked or otherwise feel threatened.
“Every one of these three proposals throws industry a bone by waiving liability for violating even our very inadequate privacy rules,” Granick writes. “And none of these three proposals narrowly and specifically identifies the categories of information that Congress wants to allow to be shared, despite privacy rules.”
In other words, Congress has waded in to the murky waters of information security intent on pulling out a law that improves the security of U.S. citizens and companies. It has emerged holding a bill that does a little bit of that – but that also strengthens the hand of intelligence agencies that would like to monitor the online activities of U.S. residents.
Cue the outrage – which has been both swift and damning. In addition to Granick’s analysis, Wired’s Andy Greenberg wrote an article last week that gave CISA “an F for security but an A+ for spying.” The Center for Democracy and Technology sent a letter to the Senate Select Committee on Intelligence signed by top experts on cyber security, privacy and civil liberties urging it to reject CISA.
That may seem like predictable D.C. fare. But in a sclerotic political environment, even minor scuffles over scope and wording are enough to scuttle even critical legislation like this. The problem isn’t so much that bad cyber legislation will get passed. It is that – once again – unpalatable laws will be pushed forward and fail to get the votes needed to become law. For another year, we’ll kick the can down the road.
Given the stakes, it would be good for Congressmen and women to listen to the concerns of privacy advocates and the business community: double down on the cyber protection, dial down the surveillance and get something passed.