Five bills aimed at governing the sharing of cyberthreat information have been proposed in the current session of Congress. Technically, only two are now pending, but that’s because two in the House and two in the Senate were combined.
The House bills – originally labeled H.R. 1560, Protecting Cyber Networks Act (PCNA); and H.R. 1731, the National Cybersecurity Protection Advancement Act of 2015 (NCPAA) – both passed the House during the week of April 20 and were then combined, with the PCNA becoming Title I and the NCPAA Title II of H.R. 1560.
According to the Congressional Research Service (CRS), both Titles of the combined House bill have several things in common. They both include the following:
- Focus on the sharing of cyberthreat information within the private sector, and between the private sector and government.
- Create a structure for the information-sharing process.
- Address issues like privacy, civil liberties and the liability risks of private-sector sharing.
However, they differ in how they define some common terms, such as “cyberthreat indicator,” and also in what roles the Department of Homeland Security (DHS) and intelligence agencies will play, the uses permitted for shared information and reporting requirements.
Privacy remains a hot issue
The involvement of intelligence agencies and permitted uses of threat intelligence are particularly hot button issues for privacy advocates, who argue that the bills should more specifically restrict the use of the information to investigate only crimes involving cybersecurity.
Ari Schwartz, director of Cybersecurity, National Security Council at the White House, said in a presentation at the recent Senior Executive Cyber Security Conference at Johns Hopkins University in Baltimore, that the current House bills address those complaints, with “minimization” of the collection of personally identifiable information (PII) and restricting the use of all shared information to cybersecurity.
But he said liability protections had become too expansive. Indeed, the White House, in a “Statement of Administrative Policy” in April, said what it called “sweeping” liability provisions, “should not grant immunity to a private company for failing to act on information it receives about the security of its networks.”
The statement also called for amendments to the bill that would, “ensure that information is not shared for anticompetitive purposes.”
Finally, it expressed concerns about H.R. 1560 authorizing “potentially disruptive defensive measures” – what many in IT call “hacking back” against attackers. The White House said such measures, “without appropriate safeguards raises significant legal, policy, and diplomatic concerns and can have a direct deleterious impact on information systems and undermine cybersecurity.”
But Schwartz, as the White House representative, said he thought those flaws could be addressed in committee.
Sign up for CIO Asia eNewsletters.