Congress to Consider Radically Different Approaches in Cybersecurity Standoff
The House of Representatives has plans to focus on cybersecurity in the coming weeks and, as a result, is slated to consider at least two bills that have gained substantial traction out of committee. These bills carve out exceptions to privacy laws to allow private companies to disclose “cyber threat intelligence” to the government. The need for such a law is proclaimed by political officials and private entities alike. Current privacy laws—such as the Electronic Communications Privacy Act or the Privacy Act—provide an all-important shield against disclosure of private information but often have the consequence of hamstringing efforts to identify and prevent cyber threats.
The first bill to be considered next week on the House floor will be the PRECISE Act (Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act (H.R. 3674)), sponsored by Homeland Security Committee Chairman Dan Lungren (R-CA). This bill carves out narrow exceptions to privacy regulations, and has even received the backing of open internet advocacy groups such as the Center for Democracy and Technology. The second bill, CISPA (Cyber Intelligence Sharing and Protection Act (H.R. 3523)), proposed by Rep. Mike Rogers (R-MI) of the House Intelligence Committee, offers a broader immunity for disclosures. CISPA has been denounced by prominent internet blogs such as Techdirt, among other technology rights advocates, but has received the backing of technology firms like Microsoft and Facebook.
It’s important to note that under either bill, disclosure of cyber threat information is voluntary. However, the bills approach such disclosures differently, meaning that the way ISPs and other internet companies do business will change according to which set of regulations is passed.
For example, CISPA allows the disclosure of any information “pertaining to the protection of a system or network” from disruption, destruction, or theft or misappropriation of private or government information or intellectual property. It is also allows the government to use the information in myriad ways, including those not necessarily tied to cybersecurity. The PRECISE Act, on the other hand, creates a third-party quasi-governmental entity—the National Information Sharing Organization—to route all disclosures between private entities and the federal government. According to this organization’s proposed operational guidelines, disclosed information must be used only for cybersecurity purposes.
Notably, CISPA also allows the government to disclose sensitive cyber threat information to private entities if such disclosure is consistent with the need to protect U.S. national security. Companies seem to like CISPA, latching onto this increased access to (even classified) information, as well as the blanket immunity for sharing information with a range of entities, even if those recipient entities fail to take appropriate protective measures to keep such information private.
Once again, the fight between internet security and privacy rages on the Hill, so we’ll be sure to keep you up-to-date as these bills reach the floor.