Well, the Cybersecurity Act of 2012 is now available for Senate consideration. A link to the text of the bill can be found here for download. Hearings will be held this Thursday. Weighing in at 205 pages, the bill’s text will require quite a bit of effort for analysts to parse. What I hope to do over the next few days is look at each of the major and/or controversial Titles of the bill (some, like better cyber education raise important issues – but they aren't issues that are likely to divide the Congress). Since I’ve been promised a briefing on the regulatory structure of the bill, I thought I’d start with a different section. Let’s look at the information sharing provisions, found in Title VII.
The bill begins by recognizing that existing legal barriers (or perhaps just legal ambiguities) exist that prevent private sector entities from monitoring even their own systems or the systems of people to whom they provide cybersecurity services. Section 701 of the bill removes those legal barriers and permits private entities to monitor and defend their own systems and the systems of a third party who authorizes them to act on its behalf. Section 702 follows this up by allowing private sector entities to voluntarily share cyber threat information among themselves. To guard, presumably, against collusion on other matters, shared information can only be used to protect information systems and personally identifiable information (PII) must be reasonably safeguarded. Taken in combination, these two sections are likely to achieve much of the same voluntary private-to-private sharing contemplated by the House bills I blogged about earlier.
The bill then turns its attention to engaging the government in information sharing with the private sector. It chooses a relatively benign method by creating what are to be known as “Cybersecurity Exchanges.” Under Section 703, there will be at least one “lead Federal cybersecurity exchange” to facilitate and encourage information sharing with both Federal and non-Federal entities. In addition, DHS may, if it wishes, designate additional exchanges, which could be run either by Federal or non-Federal entities Inasmuch as DHS already runs such an exchange (and that exchange is designated on an interim basis as the “lead” exchange) it isn’t clear how much value is added to existing structures by this provision.
The value-add, however, comes in section 704, which authorizes private entities to disclose cyber threat information to these new exchanges. In return, the information provided is exempt from FOIA, cannot be deemed a privilege waiver and is exempt from rules against ex-parte communications. Section 705, likewise, seeks to jump start greater sharing of classified threat information with the private sector.
Notably, under section 704, disclosure of cyber threat information to law enforcement authorities is going to be fairly limited. This is intended to ameliorate concerns that cyber information will become a font of "tips and leads" for government cops. Under the terms of the bill, cyber thereat information may only be disclosed when a crime “has been, is being, or is about to be committed” and then only in conformance with a set of privacy and civil liberties protection procedures that the Secretary of DHS is charged with developing. Those procedures are intended to “minimize the impact on privacy and civil liberties” and limit the use of PII. Compliance with these rules will be overseen by a triumvariate of overseers – the Attorney General, the Privacy Officers of DHS and DOJ and the Privacy and Civil Liberties Oversight Board.
The other portions of this Title that are likely to generate comment are sections 706 and 707. Section 706 is a limitation on liability. No cause of action can lie for the voluntary disclosure of cyber threat information if it is authorized by this bill. Good faith reliance on the information sharing provisions of the bill is a complete defense. And a liability waiver is also provided for the reasonable failure of a private entity to act on information received.
Section 707 operates in parallel. It is a federal preemption rule that expressly preempts all contrary State or local laws. In a nod to antitrust concerns, price fixing and market allocation allegations are carved out of the preemption and remain valid causes of action.
So what are we to make of this Title? On balance, it seems to reflect a general convergence of opinion in Congress that information can best be shared by authorizing private-to-private sector sharing (a rejection of the Obama Administration’s proposal to centralize information sharing through the government). It also reflects a broad consensus that private sector information sharing needs to be protected from liability under Federal and State laws – a consensus that is sure to generate some push back.
If I had to predict, however, the weak point here is likely to be in the privacy and civil liberties protections. The scope of authorized sharing is quite broad and the privacy protections are encompassed in a set of procedures that have yet to be developed. On this score, we may see some concerns raised by privacy advocates. The strong oversight provisions look to me to be a good answer (indeed, they are a bit of overkill) but the debate on this Title will almost certainly turn on the adequacy of privacy and civil liberties protections.