Today, the House Homeland Security Committee marked up a cybersecurity information sharing bill that promised to be “the best of bunch” in terms of civil liberties protections among the cybersecurity information sharing bills that Congress is currently considering. Unfortunately, the bill misses the mark in a key respect.
The problem starts with the fact that like the other pending bills, the National Cybersecurity Protection Act (NCPAA, H.R. 1731), would authorize companies to share cybersecurity threat indicators “notwithstanding any law” – a problematic approach that is sure to have unintended consequences. Like the other bills, “cyberthreat indicators” are broadly defined in Section 2 of the bill to permit flexibility as technology changes and the information needed to be shared to counter cyber attacks evolves.
To compensate, partially, for the risk to privacy that comes with a broad definition of the information that can be shared “notwithstanding any law,” cybersecurity information sharing legislation can put strict limits on the purpose for which information is shared and on the use of that information. It is in establishing those strict use and purpose limitations that the NCPAA falls short.
Under the NCPAA, the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), codified by Congress last year as Section 226 of the Homeland Security Act of 2002, would enter into contracts with private sector entities that would permit those entities to share cyber threat indicators with the NCCIC only for cybersecurity purposes. Section 3(i), p. 14. The government could retain, use and disseminate cyberthreat indicators only for cybersecurity purposes. Companies could monitor their networks (conduct “network awareness”) for cybersecurity purposes and share cyber threat indicators with each other only for cybersecurity purposes. So far, so good: with certain limitations, civil society groups have been seeking these purpose and use limitations for the six years Congress has been considering cybersecurity information sharing legislation.
However, the bill defines “cybersecurity purpose” very broadly to include the purpose of protecting against any crime whatsoever and the purpose of protecting against any violation of any acceptable use policy, including those that have nothing to do with network protection. These are not cybersecurity purposes.
The bill does not say this directly because if it did, it would be easily fixed. Instead, it defines “cybersecurity purpose” as the “purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity risk or incident.” (Section 2(a)(6) on p. 4). It does not define “cybersecurity risk or incident.” Those terms are defined in the law that codified the NCCIC, the National Cybersecurity Protection Act of 2014. A “cybersecurity incident” includes any crime without limitation, including crimes that have nothing to do with cybersecurity, and any violation of an acceptable use policy, even if the violation does not render an information system, or data, more vulnerable to attack. Section 226(a)(2) of the Homeland Security Act.
As a result, the bill permits companies to monitor their networks and share information for the “cybersecurity purpose” of investigating and prosecuting minor drug crimes, car theft, bank robbery and any other crime. And, it permits the government to use that information for the same purposes. That makes the legislation, intended to be a cybersecurity bill, look much more like a cyber-surveillance bill. Even the Senate Intelligence Committee’s Cybersecurity Information Sharing Act (S. 754) – which has been roundly criticized for permitting vast law enforcement use of shared cyberthreat indicators, has narrower law enforcement use restrictions.
This is unfortunate because the bill does a lot of good work. By bolstering the role of the NCCIC, it helps ensure that the government’s cybersecurity program as it relates to the civilian private sector is controlled by a civilian agency – the Department of Homeland Security. Civilian control can help promote transparency and accountability. This, in turn, builds the kind of trust that can encourage private sector participation in a voluntary information sharing arrangement.
There are other problems in the NCPAA besides the expansive purpose and use authorizations:
- It defines information “sharing” to include information “receipt,” which creates a number of anomalies (Section 3(a)(11) on p. 6);
- The countermeasures that companies can operate against cybersecurity risks include measures that violate the federal anti-hacking statute, the Computer Fraud and Abuse Act (18 U.S.C. Section 1030); and
- The obligation it imposes on companies and the government to remove personally identifiable information prior to sharing a cyberthreat indicator is weak, and permits the sharing of PII “related to” a cybersecurity risk even if sharing that information is unnecessary to describe or mitigate the risk.
But the failure to limit to true cybersecurity purposes the sharing and use of broadly defined cyberthreat indicators is the major flaw in the bill, and if fixed, could help make the bill “the best of the bunch” that its lead sponsors, Rep. Michael McCaul (R-TX) and Rep. John Ratcliffe (R-TX), intend it to be.
Gregory T. Nojeim is the Director of the Freedom, Security and Technology Project at the Center for Democracy & Technology. He is the author of "Cybersecurity and Freedom on the Internet,” which appeared in the Journal of National Security Law and Policy. He testified on cybersecurity before the Senate HSGAC Committee earlier this year.