Two cybersecurity bills that would facilitate collaboration between private sector entities and the federal government in the defense of cyberattacks passed the U.S. House of Representatives on April 22 and 23, 2015: H.R. 1560, the “Protecting Cyber Networks Act” (PCNA); and H.R. 1731, the “National Cybersecurity Protection Advancement Act of 2015” (NCPAA). The bills answer longstanding calls to promote information sharing between the private and public sectors while attempting to mitigate privacy and civil liberty concerns and liability risks for private sector firms. Both bills currently have the qualified support of the Obama Administration and, because they differ in a few important details, will likely be reconciled within the House before being sent to the Senate for consideration later this year.
The legislation addresses several key topics: information sharing; privacy protections; the limitation of liability for private sector firms that participate in information sharing; and the authorization of defensive measures by the private sector.
Most fundamentally, the legislation encourages voluntary sharing between and among private sector entities and the government of “cyber threat indicators,” that is, information that describes or identifies cyber security threats and system vulnerabilities. Information sharing is purely voluntary, and shared information can be used by the government only for limited purposes—for national security and law enforcement under one of the bills and for the defense of cyberattacks under the other. The legislation confronts concerns about governmental overreach and privacy by otherwise restricting the federal government’s use of shared information, including for regulatory purposes; indeed, the government may be held liable if it uses shared information for an unauthorized purpose. The legislation also requires private sector firms as well as the federal government to adopt safeguards against the unintended disclosure of personally identifying information.
In response to private sector concerns about potential liability for alleged antitrust, intellectual property, confidentiality, and other violations arising from the sharing of information, the House bills limit the liability of companies that share information under the law. The legislation also authorizes private sector firms to use limited defensive measures to combat cyberattacks, that is, to use an “action, device, procedure, technique, or other measure” on a firm’s own information systems to prevent or mitigate a known or suspected cybersecurity threat or risk. The two bills specifically exclude actions that destroy, render unusable, or substantially harm an information system operated by third parties.
Differences in Implementation and Obama Administration Concerns
Several important differences between the bills remain unresolved. They part ways most significantly on implementation strategy: H.R. 1731 vests oversight in the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), whereas H.R. 1560 places the responsibility with the intelligence community, within the newly-authorized Cyber Threat Intelligence Integration Center.
The Obama Administration has stated that it supports passage of both bills, but has also identified “improvements” it would like to see when the bills are reconciled. First, the Administration has stated that it prefers administration by the NCCIC, a civilian agency. Second, the Administration has questioned both bills’ “sweeping liability protections,” which it describes as “immunity to a private company for failing to act on information it receives about the security of its networks.” Third, the Administration has expressed concerns about the potential legal, policy, and diplomatic impacts of the authorized “defensive measures,” cautioning that without appropriate safeguards they may undermine the application of criminal and state tort laws.
Federal legislation that grapples with the growing cybersecurity problems facing the public and private sectors has been slow in coming. While this legislation does not fill the void entirely (notably, neither bill addresses data breach notification standards), if it becomes law it will provide tools that many commentators agree are necessary for the effective combat of cyber threats. The broad-based and bipartisan support for the measure may mean more congressional cybersecurity efforts to come.