As part of the run-up to the State of the Union address next week, the Administration has been releasing publicly some of its policy proposals. One of the most notable suite of proposals involved new legislation relating to cybersecurity. The transmittal letters and section-by-section analyses can be downloaded from the OMB website. The White House set to Congress three distinct proposals:
- One proposal relating to enhanced cybersecurity authority for DHS and better information sharing;
- One relating to revisions to the Computer Fraud and Abuse Act to enhance prosecution authorities; and
- One relating to a nationwide data breach law.
I don't propose to review the CFAA provisions. Orin Kerr has already reviewed them extensively (and in analysis with which I generally agree) at the Volokh Conspiracy. In this post, I want to review the first of the other two proposals on information sharing (with plans to review the data breach proposal later). Bottom line: Not bad but not terribly useful either.
Authorities and Information Sharing:
The first proposal is intended to resolve two long-standing and persistent problems -- a lack of clarity about DHS's actual legal authorities the many objections (mostly legal, though some policy oriented) to enhanced information sharing between private sector entities. After setting out some purpose and definitions, the proposal begins, in Section 103 by authorizing (but not requiring) private sector entities to share cyber threat indicators with DHS (through the National Cybersecurity and Communications Integration Center) and law enforcement. In doing so a private sector actor must make "reasonable efforts" to minimize personal identifying information that it "reasonably believes" is not related to the cyber threat. [You gotta love the "double 'reasonable'" in that drafting!] This authorization preempts all contrary Federal or State law that might prohibit the sharing of information.
Of course sharing with the US government is only part of the question. We also sometimes think that we want to advance private-to-private information sharing. With regard to that issue the proposal takes a small half step. In Section 104, the bill authorizes the creation of a standard-setting organization that will identify best practices for private-sector information sharing. It doesn't authorize the sharing directly, but later (in Section 106) the bill contemplates that such private organizations will self-certify compliance with these standards -- a provision that must, implicitly, be read as authorizing the organizations.
Section 105, makes the NCIC the civilian portal for the collection and dissemination of cyber threat information and direct DHS to do this sharing in as close to real time as possible. Since one of the major complaints about current government threat and information sharing is that it has been too slow and incomplete. Section 105 moves in the direction of requiring automated real-time sharing -- color me skeptical, but if this proves feasible it will be a substantial improvement.
Section 106 is where the rubber really meets the road. Here, I think that the Administration's proposal is both ambigous and, in the end, perhaps a bit disingenuous if the ambiguity is intentional. Let me explain. Section 106(a) appears to clearly favor the industry side of the debate over that of the tort bar. The liability limitation proposed is absolute -- no suit shall lie against any entity for sharing cyber threat information with the Federal government or a self-certified private sector sharing organization or receiving threat information. Period. Full stop. Last time around several Democrats had wanted a "good faith" clause in the language. It is missing here.
On the other hand there seems to be an inconsistency between this provision and the preemption language of Section 108(b): "This Act supersedes any law or requirement of a State or political subdivision of a State that restricts or otherwise expressly regulates the retention, use or disclosure of cyber threat indicators by private entities to the extent such law contains requirements inconsistent with this Act." The Act then expressly saves ALL other State law in section 108(c).
So ... is a state tort law, for example, a law that "expressly" regulates the use or disclosure of cyber threat information? I would think not ... and that therefore it is saved by the language of section 108(c). But a tort suit is a "cause of action" and Section 106 says "No civil action ... shall be maintained .... in any ... State court" against any entity for the disclosure or receipt of threat information. But that doesn't seem to go as far as it might. The way I read this, you can't sue in tort for disclosing the information or receiving it -- but tort suits still lie against those who actually USE the information in some way that appears negligent. Those suits are within the saving clause and are not limited by Section 106. If I am reading this correctly, then this limitation is meaningless -- who cares about sharing information if you can't safely use it?
Other provisions of Section 106 are more clearly pro-security. The section make it clear that any cyber threat information shared with the government is exempt from disclosure under FOIA and cannot be used in a regulatory action against the disclosing entity -- again, both prohibitions are without limitation and are clearly in the "pro-business" category.
All is not, of course, all pro-security. The privacy community has some small victories in Section 107, which generally calls for data retention rules and makes anonymization of identifying information a priority. The biggest victory (one I've criticized before) lies in 107(a)(2) which limits the internal USG sharing of cyber threat information to investigations and prosecutions of computer crime; crimes involving a threat of serious bodily injury; and crimes involving the sexual exploitation of minors. I yield to noone in my opposition to sexual exploitation of minors, but it is a slightly odd rule that prioritizes that crime over almost all others (including, say, drug cartel investigations or major bank frauds) that may often have far greater adverse consequences. More to the point, this limitation nods in the direction of re-erecting barriers and walls to information sharing that, in a post-9/11 world, seem to me unwise.
Is It Worth It?
Given all the strum and drang, the worst part about all of this is that it seems to me to be portending a big debate over something that won't matter that much. Most of the analysts I know are in pretty wide agreement that the most significant types of threats come from sophisticated actors who are creating and deploying novel cyber threats. For those sorts of new threats, no amount of information sharing is useful. If we have never seen the threat before we can't share information about it.
To be sure, information sharing will help. It is "nice to have" and will help many small actors reduce their cyber risk against more common forms of intrusion and theft. But the greater, more challenging threats don't have an information signature to share. To put it colloquially, given what we know in the public record it seems almost certain that even had this bill been enacted into law two years ago and fully implemented, nothing in it would have helped Sony avoid the North Korean (?) intrusion.
Indeed, intrusion prevention is really a pretty "old school" form of cyber defense -- its so "last decade." :-) Today, advanced cyber security firms use much more sophisticated methods of protection -- none of which are really enabled by this bill. So in the end, this is "meh." We are probably going to have a large fight over a bill that will do relatively little to address the most significant cyber threats. Oh well ....