With last month’s House passage of the Cyber Intelligence Sharing and Protection Act (CISPA), the cybersecurity debate has now moved to the Senate, albeit quietly, as attention in the upper chamber has been intently focused on immigration. This lull in activity presents an opportunity for Senators to take stock of improvements that were made to the bill as it advanced through the House and begin forging agreement on what still needs to be done before the legislative process is over.
They begin in a good place, because there is widespread agreement on the fundamental proposition that sharing cyber threat information would bolster the country’s security posture. As passed in the House, CISPA would greatly improve the situational awareness of front-line IT professionals and law enforcement authorities by breaking down legal barriers that currently discourage information sharing between and among the public and private sectors.
Moreover, as the bill moved through the committee process and floor debate in the House, it benefited from a number of important refinements to protect citizens’ privacy and civil liberties. For example, it stipulates that government can only use the information it gets from the private sector for cybersecurity purposes and the definition of what constitutes a cybersecurity purpose has been narrowed. As passed in the House, the bill also makes civilian agencies of government (the departments of Homeland Security and Justice) the main hubs for the private sector to report potential cyber threats. Those civilian agencies have oversight authority for privacy concerns, too. And finally, the bill makes clear that it does not authorize the government to engage in surveillance of US citizens.
But additional improvements are still needed before BSA and many other stakeholders can support final passage of legislation on information sharing — and before President Obama would agree to sign it.
For BSA, there are three main priorities:
- First, sharing cyber threat information with the government should remain voluntary. CISPA came out of the House without any mandates, and it is very important that it remain that way. There are a number of good reasons for this, not least of which is the fact that it will improve the quality of information being shared, because companies will be free to separate wheat from chaff. Furthermore, mandates mean regulation. But a voluntary system with less regulation also will promote speed and adaptation, a sine qua non for effectively detecting and deterring fast-moving threats.
- Second, it should be made clear that companies will only receive liability protection if a civilian agency is their first point of contact when they share cyber threat information with the government. This is critically important because civilian agencies are best equipped to address privacy and civil liberties issues. This is not to say that companies should be forbidden from sharing with any agency of government they wish. If a company is already sharing information legally with any government agency, then that relationship should be allowed to continue. But there should be a simple rule that liability protection is only available if a civilian agency is your first stop.
- Third, companies should be held accountable for honoring contracts that spell out the types of cyber threat information they might share with the government. For example, it is common for companies to include these details in user license agreements and other contexts. If they violate those contracts, then their customers should be allowed to challenge the disclosure. It seems self-evident that a company should not be given carte blanche to break its contractual word. But including a provision that clarifies this would nonetheless be useful. Among other things, it would help ensure that the program remains voluntary, because it would give companies legal leverage to resist any pressure they might feel to share information.
Additionally, it is important for any cybersecurity legislation to be written in a way that is not overly regulatory. For example, specifically designating which types of data can be considered cyber threat information could prove to be too cumbersome and thus ineffective. The standards must be flexible and take into account the realities of an ever-changing threat landscape.
By taking these considerations into account, the Senate has an opportunity to further protect people’s privacy and civil liberties, prevent government from strong-arming companies into sharing more than would be appropriate or necessary — and get us one step closer to the stronger cybersecurity footing that the country urgently needs to achieve.