This has been a busy few months inside the Washington, D.C., Beltway for policy topics related to cybersecurity. President Obama signed an executive order in February regarding the promotion of private-sector information sharing. The U.S. Congress is now debating several bills, as both sides of the political aisle agree that addressing cybersecurity is an urgent issue.
According to TheHill.com: “President Obama recently called cyberattacks a “national emergency,” and the cybersecurity legislation has moved through the Republican-controlled Congress relatively quickly because leaders from both political parties recognize that cybercrime threatens us all in a very big way. Now.”
So what are the cyberpolicy initiatives and will new laws be enacted?
Back in late April, the House of Representatives passed the Protecting Cyber Networks Act by a wide margin of 307-116, with the support of the White House.
H.R. 1560 would establish within the Office of the Director of National Intelligence (ODNI) a center that would be responsible for analyzing and integrating information from the intelligence community related to cyberthreats. In addition, the bill would require the government to establish procedures for sharing information and data on cyberthreats between the federal government and nonfederal entities. CBO estimates that implementing the bill would cost $186 million over the 2016-2020 period, assuming appropriation of the estimated amounts.
USNews.com reported that “the bill would offer legal protections to companies that would enable them to share more information about their networks and hacker threats with the government.”
Critics of previous bills, such as Rep. Adam Schiff of California, the ranking Democrat on the House Permanent Select Committee on Intelligence, announced their support for this bill. Rep. Smith also announced that privacy protections are stronger in this bill, but cautioned that “improvements may still be needed to be made to make sure companies are not given too much immunity if they share unnecessary customer data or if they fail to act on leads about hacker threats.”
Nevertheless, the bill still has several controversial components. “The use of defensive measures without appropriate safeguards raises significant legal, policy, and diplomatic concerns and can have a direct deleterious impact on information systems and undermine cybersecurity,” the White House said in a statement.
Another bill, H.R. 1731 or “The National Cybersecurity Protection Advancement Act (NCPA) of 2015,” was introduced in April by two House Republicans from Texas. The authors, U.S. Rep. Michael McCaul, R-Texas, chairman of the Committee on Homeland Security, and U.S. Rep. John Ratcliffe, R-Texas, chairman of the Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, introduced the act to improve cybersecurity by encouraging voluntary information-sharing about cyberthreats between and among the private sector and government.
According to the sponsors (and as seen by the video below), the NCPA Act bolsters our nation’s cybersecurity by providing the liability protections industry needs and the privacy protections Americans demand and deserve. They wrote: “This pro-security, pro-privacy bill is the result of close collaboration with industry and privacy stakeholders and other committees in the House.”
Meanwhile, over in the U.S. Senate, the Cybersecurity Information Sharing Act of 2015 (or CISA) passed the Senate Intelligence Committee in March 2015 by a 14-1 vote. That bill was essentially the same as CISA 2014, with provisions summarized by the Heritage Foundation, such as:
Liability Protection. CISA provides strong liability protection for information sharing that follows CISA’s procedures—so long as such sharing is not grossly negligent or an act of willful misconduct. Such a high bar of protection ensures that companies that share or receive information will not be sued for merely trying to improve their and other’s cybersecurity. A lower standard, such as “good faith,” may sound strong, but it is much easier for a tort lawyer to insinuate a lack of good faith than it is to prove willful misconduct or gross negligence. Overall, this level of liability protection will ensure that information sharing is less hindered by the threat of potential lawsuits.
Similarly, CISA provides Freedom of Information Act protections for shared data and does not allow regulators to use information to directly regulate the lawful activities of sharers or receivers of threat information.
Authorized Uses. CISA allows the government to use information gained by information sharing for several purposes, including:
• Enhancing cybersecurity,
• Identifying a cyberthreat from a foreign adversary or terrorist,
• Preventing or prosecuting cases involving death, serious bodily harm, or other violent felonies,
• Stopping or mitigating threats of serious economic harm,
• Combatting serious threats to minors,
• Investigating and prosecuting cases of fraud and identity theft, and
• Protecting the U.S. from and taking action against those who engage in espionage and the theft of trade secrets.
But opponents of CISA 2015 say it still threatens civil liberties and won’t help win our cybersecurity battles. An ACLU blogger wrote, “CISA is one of those privacy-shredding bills in cybersecurity clothing.” The blog said that the bill is all about NSA surveillance.
There has been a rare bipartisan unity in the Congress on these legislative efforts regarding cybersecurity, as well as general support from the White House, which has been missing in previous years. Recent press releases have been issued, such as this one from Congressman Cramer who represents North Dakota, which proclaim that these new cyber bills protect privacy while cracking down on cybercrime.
“Americans’ personal and financial information is under increasing risk. It's estimated that $445 billion per year is lost to cybercrime across the world. As our reliance on information technology steadily grows, Congress needed to act to improve the security of our personal and financial information and ensure confidence. These bills strike the right balance between protecting an individual’s civil liberties and providing network security personnel the information they need to protect their networks from future attacks,” said Cramer.
USA Today commented on Obama’s call for legislation to help share cyberthreat information between the public and private sectors.
President Obama has called on Congress to pass strong cybersecurity information-sharing legislation, and lawmakers have been moving quickly to do that….
Both the House-passed bill and the bill approved by the Senate intelligence committee offer liability protection to companies to shield them from lawsuits that could arise from the sharing of business records with the government and with one another. Businesses have been reluctant to tell the government about cyberattacks because of their fear of lawsuits from consumers or privacy groups.
One key difference between the two bills is that the Senate bill requires any information shared by private companies to first go through the Department of Homeland Security. The House bill would allow companies to share their cyber-threat information with any civilian agency. A bank, for example, could go straight to the Treasury Department for help.
Nevertheless, many critics remain who oppose these latest legislative efforts. Leo King at Forbes.com wrote that the cybersecurity law is ridiculously out of touch.
Earlier this week some 55 civil society organizations and security experts – including Access, the American Civil Liberties Union, the Bill of Rights Defense Committee, the Center for Democracy and Technology, Electronic Frontier Foundation, Human Rights Watch, Liberty, and professors and experts at the Massachusetts Institute of Technology, Stanford University, the Tor Project, Twitter and VMware – all expressed incredibly serious concern about the PCNA.
In a letter, they wrote that the act would authorize companies to monitor users’ online activities, and share information including their online communication, without proper privacy protection. ...
A reluctant viewpoint was also articulated by Wired magazine’s coverage of these cyberbills. After reporting that the Obama administration has announced general support for these bills, and describing some of PCNA’s significant privacy safeguards, Wired goes on to quote Robyn Greene, policy counsel for the Open Technology Institute (OTI).
But privacy advocates haven’t given up on a presidential veto. A new website called StopCyberspying.com launched by the internet freedom group Access, along with the EFF, the ACLU and others, includes a petition to the President to reconsider a veto for PCNA, CISA and any other bill that threatens to widen internet surveillance.
OTI’s Greene says she’s still banking on a change of heart from Obama, too. “We’re hopeful that the administration would veto any bill that doesn’t address these issues,” she says. “To sign a bill that resembles CISA or PCNA would represent the administration doing a complete 180 on its commitment to protect Americans’ privacy.
Newamerica.org went even further in outlining their opinion that the Cybersecurity Information Sharing Act of 2015 is Cyber-Surveillance and not cybersecurity. “Despite increasing doubts about whether information-sharing legislation could have prevented an Anthem, Sony or Home Depot-style hack, CISA’s proponents insist that passing cybersecurity information sharing legislation is the single most important way to enhance cybersecurity. However, the bill’s primary effect will be to increase cyber-surveillance.”
The overall privacy argument against NSA appeared to be helped a bit last week when a federal appeals court in Manhattan Thursday struck down the government's controversial National Security Agency program to collect bulk data on Americans' telephone calls.
“The judges permitted the NSA program to continue temporarily as it exists, but they implored Congress to better define where boundaries exist or risk "invasions of privacy unimaginable in the past."
Beyond efforts on Capitol Hill on new legislation, there has also been movement toward implanting the new information sharing organizations promised by the president’s executive orders on cybersecurity earlier this year.
In his PwC blogs, David Burg laid out next steps in cybersecurity information sharing. He describes how: “Information Sharing and Analysis Organizations (ISAOs) have the potential to energize the flow of cyber intelligence among federal agencies and between the private and public sectors.”
PwC convened leaders from the government, Fortune 100 and academics to discuss and brainstorm a national public-private partnership to combat cybercrime in April. Attendees helped draft proposed ISAO models and discussed what government actions that could promote their creation and adoption.
You can see their related tweets here as well as their potential models and the nuts and bolts of ISAOs – required protocols, trust-building, creating real value and incentives for participants, government interaction, liability issues, and reputation considerations.
I often get asked to comment more on the ups and downs of cybersecurity legislation, but after watching history repeat itself multiple times over the past five years, I generally hold off.
I find commenting on new cybersecurity legislation is a bit like searching for stories about Tim Tebow chasing his dream to play in the NFL. You can love Tebow or hate him, but either way everyone keeps coming back for more. And everyone seems to have an opinion on cybersecurity legislation – whether you support more incentives to share data or advocate for more privacy.
I do believe that the success of recent bills demonstrates that legislation will pass this year, with the cybersecurity bills mentioned above as main ingredients in whatever compromises eventually emerge to be signed by the president. Still, I have been wrong before, and I wouldn’t bet my house on comprehensive legislation passing.
The same privacy groups continue to strongly fight these cyberbills on the grounds that they are government surveillance programs. And while I have privacy concerns as well, I am hopeful that a compromise will be reached. Nor now, I will resist the temptation to put a timetable on when an agreement will be reached.
Meanwhile I applaud the efforts of PwC and states like Virginia to get moving on implementing ISAOs now. Back in April, Gov. Terry McAuliffe announced that the commonwealth of Virginia is establishing the nation’s first state-level Information Sharing and Analysis Organization (ISAO).
I encourage more state and local governments to follow Virginia’s example.