The Chair and Vice-Chair of the Senate Select Committee on Intelligence, Senators Feinstein and Chambliss have introduced a draft cybersecurity information sharing bill. Early coverage of the bill from Inside Cybersecurity is here. My own quick analysis:
- The requirement to remove personally identifying information from shared cyber threat information is both critical to securing buy in from privacy advocates and likely a significant vulnerability that diminishes effectiveness. The caveat that the information need not be minimized if it is "directly related to a cybersecurity threat" is both sensible and a formula for disagreement.
- The direction that the shared information be used by the Federal government only for "appropriate cyber purposes" more or less hides the hard part of the question and leave much to be determined.
- The offer of liability protection to those in the private sector who share information with the government is a strong incentive. But it continues to contain the litigation bait of a "willful misconduct" exception -- which converts the liability protection into a bit of an artful pleading requirement.
- The designation of DHS as the info-sharing hub in the Federal Government is, one expects, hoped to blunt the prospect of sharing information with NSA. Implicit in the bill, however, is the reality that the information shared with DHS will also be shared with "other federal entities." I don't think that the privacy advocates will miss that implication.
On the whole, a good effort -- very much consistent with CISPA from the House and easy to conference if it passes the Senate. I have to wonder, however, if the this type of legislation is viable in the post-Snowden era. We shall see ...