In recent months, the House and Senate both introduced bills that aim to enhance cybersecurity by promoting information sharing among private entities, and between private entities and the federal government. On March 12, 2015, the Senate Select Committee on Intelligence approved the Cybersecurity Information Sharing Act of 2015. The Senate has not yet passed the bill.[1] On the House side, the House Permanent Select Committee on Intelligence approved the Protecting Cyber Networks Act, which subsequently passed the House.[2] Though the House and Senate versions are similar in many respects, their differences have left privacy advocates attempting to sort out which bill's information-sharing provisions best protect privacy

Comparison of House and Senate Versions: Sharing by Private Entities

Recent discussion regarding cybersecurity has focused on ways to facilitate information sharing among private sector entities, and between private sector entities and the government, in an effort to enhance security. Though their approaches differ in some respects, both the House and Senate versions create informationsharing processes aimed at addressing current cybersecurity concerns.[3]

The two bills encourage private entities to share information about "cyber threat indicators"[4] or "defensive measures"[5] among themselves and with the federal government by explicitly authorizing, and providing liability protection for, such sharing.[6]

The House and Senate versions both require that federal entities receiving cyberthreat indicators or defensive measures employ security controls to guard against unauthorized access to the shared information.[7] In addition, both bills require nonfederal entities to take similar steps to secure the information they share or receive.[8] Furthermore, both bills mandate that, prior to sharing, a federal entity must review cybersecurity indicators and remove any information that the federal entity knows, at the time of sharing, to be personal information that is not directly related to a cybersecurity threat.[9] The bills also require that nonfederal entities scrub personal information prior to sharing, though the bills' requirements vary. The House version mandates that a nonfederal entity take "reasonable efforts" to remove information the entity "reasonably believes at the time of sharing" to be personal information not directly related to a cybersecurity threat.[10] The Senate version only requires such removal where an entity knows, at the time of sharing, that information is personal information not directly related to any cybersecurity threat.[11]

The major differences between the two bills on information sharing and liability include:

  • The House version requires the president to create policies and procedures for government receipt of cyberthreat indicators and defensive measures, and to submit those policies and procedures to Congress.[12] In contrast, the Senate version requires the attorney general (rather than the president) to work together with the heads of appropriate agencies in order to create, and submit to Congress, such policies and procedures.[13]
  • The House version allows private entities to share information about cyberthreat indicators or defensive measures with "appropriate federal entities,"[14] with the exception of the U.S. Department of Defense and the National Security Agency.[15] The Senate version authorizes private entities to share with the federal government without restriction, thus permitting a private entity to share directly with the NSA.[16]
  • The Senate version permits the U.S. Department of Homeland Security, which is instructed to develop a portal for the receipt of information from private entities,[17] to share information received from private entities with other appropriate federal entities, including the NSA.[18] Though the House version does not permit private entities to share information directly with the NSA, it requires that information shared with other appropriate federal entities be subsequently shared "in real-time with all of the appropriate Federal entities," which would include the Department of Defense and the NSA.[19] Both versions authorize this disclosure of shared information to other federal agencies for cybersecurity purposes,[20] or to investigate or prosecute certain crimes unrelated to cybersecurity.[21] • In the Senate version, private entities are granted liability protection if information about cybersecurity threat indicators is: (1) shared through the portal that the bill charges DHS to create; (2) shared through nonelectronic means; (3) shared with the sharing entity's own regulator; or (4) is a cyberthreat indicator that has been shared on a prior occasion.[22] The House version grants liability protection to private entities that conduct sharing solely pursuant to Section 103(c).[23] Thus, private entities are not protected from liability if they share cyber threat indicators or defensive measures directly with the Department of Defense or the NSA.
  • The House version provides that the government may be liable where it acts intentionally or willfully in violating the privacy and civil liberties of injured persons.[24] The Senate version does not contain a similar provision.
  • The House version calls for the creation of the Cyber Threat Intelligence Integration Center (CTIIC) within the Office of the Director of National Intelligence. The Senate version does not. The House version mandates that the CTIIC: (1) "serve as the primary organization within the Federal Government for analyzing and integrating all intelligence possessed or acquired by the United States pertaining to cyber threats;" (2) "ensure that appropriate departments and agencies have full access to and receive all-source intelligence support needed to execute the cyber threat intelligence activities of such agencies and to perform independent, alternative analyses;" (3) "disseminate cyber threat analysis to the President, the appropriate departments and agencies of the Federal Government, and the appropriate committees of Congress;" (4) "coordinate cyber threat intelligence activities of the departments and agencies of the Federal Government;" and (5) "conduct strategic cyber threat intelligence planning for the Federal Government."[25]

The Obama Administration Supports the House Version, With Reservations

While the Obama administration has not publicly taken a stance on the Senate version,[26] it has issued a statement of administration policy supporting the passage of the House version.[27] The administration commended the House Permanent Select Committee on Intelligence's efforts to craft legislation on cybersecurity information sharing that incorporated better privacy protections, and "for requiring that intragovernmental sharing be governed by a set of policies and procedures developed by the Federal Government to protect privacy and civil liberties." Despite offering its overall support for the House version, however, the administration noted that "[s]everal improvements are needed to ensure that [the bill] appropriately encourages and facilitates information sharing while safeguarding individuals' privacy interests and civil liberties."

Specifically, the administration expressed concern that the bill's "sweeping liability protections" would "remove incentives for companies to protect their customers' personal information and may weaken cybersecurity writ large." In regard to these protections, the administration opined that, because the House version only requires entities to take "reasonable measures" to scrub personal information before sharing with others, an entity that is "grossly negligent or even reckless" in doing so may be shielded from liability under such broad liability protection. In addition, the administration took issue with the House version's approach of authorizing information sharing through numerous federal departments. In contrast, the administration expressed its support for a structure that would create "new liability-protected sharing relationships" through DHS' civilian entity, the National Cybersecurity and Communications Integration Center.

The administration also expressed concern that the House version's authorization of defensive measures is not "adequately tailored." In the administration's view, the bill's approach to such measures lacks appropriate safeguards, and thus raises "significant legal, policy, and diplomatic concerns and can have a direct deleterious impact on information systems and undermine cybersecurity." With its concerns noted, the administration expressed its support for the passage of the House version so that the House and Senate can work together to improve the bill as the legislative process continues.

Privacy Advocates And Industry Differ on Both the House and Senate Bills

Privacy advocates oppose both bills. The Center for Democracy & Technology has voiced its opposition to both the House and Senate versions of cybersecurity legislation. With respect to the House version, the CDT takes issue with its authorization of defensive measures, failure to require adequate scrubbing of personal data, and failure to affirmatively address the cybersecurity-related conduct of the NSA.

The CDT asserts that the House version contains "egregious provisions" that liken it to a surveillance bill, not a cybersecurity bill.[28] Specifically, the CDT takes issue with the requirement that a cyberthreat indicator shared with the federal government be immediately shared with the NSA, because it believes such a requirement will chill the very sharing the bill is meant to promote. Further, the CDT is concerned that the House version will allow cyberthreat indicators shared with the federal government by private entities to be used to investigate crimes having nothing to do with cybersecurity. The CDT is also concerned that the bill does not include a mechanism to encourage private entities to follow the information-sharing rules it establishes.

The CDT has also continuously voiced its opposition to the Senate version. The CDT takes this position because the bill permits private entities to share information directly with the NSA, and the government may use shared information for law enforcement purposes unrelated to cybersecurity.[29] The CDT has noted that the Senate version's authorization of companies' sharing "information derived from users' internet communications directly with the NSA" is an important distinction between the two versions. In June, the CDT voiced its disapproval of the attempt to attach the Senate version to the National Defense Authorization Act.[30] Though the CDT believes that some improvements to the bill were made during the committee markup, it views further debate and amendment as necessary to address the remaining privacy and civil liberties issues with the Senate version.

Other privacy advocates have also voiced their opposition to the House version. The American Civil Liberties Union and the Electronic Frontier Foundation, along with several other open government and civil liberties groups, wrote a joint letter in opposition to the bill.[31] The groups opined that, while the House version is "less pernicious" than the Senate version, it nonetheless falls short of providing adequate privacy protections. The groups expressed their concern that the House version, if passed, would likely increase government secrecy and invite surveillance abuses.

Industry groups, on the other hand, support both bills. The Protecting America's Cyber Networks Coalition, which includes the U.S. Chamber of Commerce,[32] supports the passage of the Senate version, and urged the Senate to consider and pass the bill in a letter to Senate members.[33] The coalition called on Congress to send a bill to the president that would provide businesses with a "safe harbor against frivolous lawsuits" as they voluntarily share and receive information about cyberthreat indicators and defensive measures "in real time." Further, the coalition opined that the Senate version reflects "sound compromises" between offering protections related to the timely exchange of information between businesses and the government, and safeguarding privacy and civil liberties through the assignment of appropriate roles for government agencies and departments.

In addition to supporting the Senate version, the Chamber of Commerce supported the passage of the House version.[34] When the House version passed, the Chamber issued a statement applauding the House for its work. Bruce Josten, the Chamber's executive vice president for government affairs, stated, "[t]he Chamber has long advocated for legislation that gives businesses strong protections from liability when voluntarily sharing and receiving cyber-threat indicators and taking actions to mitigate cyberattacks — and [this bill does] that."[35] Tom Ridge, former secretary of DHS and former Pennsylvania governor, chairman of the Chamber's National Security Task Force, asserted that the House version "knocks down barriers" to cybersecurity information sharing and monitoring that inhibit even those companies with the best of intentions. Ridge believes the improved sharing will help both businesses and their government partners "bolster their defenses against cyberattacks."

Conclusion

Given the administration's support of the House version, and recent large-scale data breaches affecting consumers, industry, and the government, it seems likely that the president, if presented with the opportunity, will sign a cybersecurity bill passed by both the House and the Senate. It remains unclear when any action on the Senate version might occur. Since the attempt to append the legislation to the National Defense Authorization Act, no further action has been taken.[36]

Published by Aerospace & Defense Law360 on August 7, 2015. Also ran in Privacy Law360, Public Policy Law360, Technology Law360, and Telecommunications Law360.