We have white smoke. Finally, after 8 years of discussion Congress has passed a cybersecurity information sharing bill. The Cybersecurity Act of 2015 is Division N of the omnibus spending bill that will soon be enacted by Congress. Title I of that bill is the information sharing provisions. Let's focus on that. Here are some of the highlights:
- DHS Wins. There had been a longstanding dispute over whether private sector entitites that wanted to share threat information with the Federal government had to go through DHS or if they could go directly to the FBI and/or NSA. The bill enshrines DHS as the hub of cyber sharing, by making liability protection contingent on sharing with DHS. The bill does compromise by requiring DHS to set up an automated system for real-time onward sharing to the rest of the government and by allowing POTUS to set up a second non-DHS center if he first notifies Congress. But the way the bill shakes out, DHS will now be squarely ensrhined as the center point for Federal/private sector engagement.
- Privacy Loses, a bit. The bill has a requirement that the private sector assess whether any information it is sharing with the Federal government is "not directly related" to a cyber threat and whether it "knows at the time of sharing" that this non-direct information contains personal information of a specific individual or identifies an individual. The private entities must also use technical means to scrub that information from what they forward to the government. The phrases "not directly related" and the requirement of actual knowledge at the time of sharing are both broad enough that I suspect that more private information will be shared than the privacy community would prefer.
- Privacy wins, a bit. There has been a debate ongoing about the contours of what purposes cyber threat information can be put to when shared with the Federal government. What if, say, the information also discloses a drug cartel or a financial fraud. Privacy advocates had wanted a strict limit on other purposes to which the information could be put. They got a partial victory. In addition to sharing for cybersecurity purposes (obviously) the cyber threat information may only be shared for the purpose of responding to, preveting or mitigating a specific threat of "death or serious bodily injury" or "serious economic harm." The first of those is a relatively well-known, and narrow category. The latter seems to me more capacious and capable of "expansion" but still a cabining of some sort.
- Industry wins, big time. For a long time there has been significant debate about the scope of the liability protection afforded private industry when it shares information with the government. Industry had wanted an absolute bar on liability. The privacy community and the tort bar had wanted protection only for sharing that was done "in good faith" (or, sometimes, not done "negligently"). The key of course was that an intent based standard would often be litigable and open up the courts to well-founded allegations of bad faith -- something that the private sector strongly opposed. It seems to me, they won. Liability protection will now attend to any information sharing activity that is "conducted in accordance" with the bill's provisions. Rejecting an intent test, this formulation seems to focus exclusively on the technical requirements for sharing -- compliance with which should be relatively easy to document and prove.
There's more of course -- three whole Title's worth. But we'll leave those for another day ....