Cybersecurity Information Sharing Panel: Event Recap

BY CCIA Staff
April 30, 2015

Last Thursday, CCIA hosted a panel discussion on a host of cybersecurity information sharing bills under debate in Congress.  The event, which was opened by remarks from Senator Ron Wyden, D-Ore., aimed to capture the tension between the need for a robust information sharing regime between the private sector and government, and the privacy interests of Internet users.

In his opening, Senator Wyden did not hold back, telling attendees that without strong privacy protections, cybersecurity information sharing legislation quickly becomes surveillance legislation.   Wyden said he is concerned that current cybersecurity legislation proposes that law enforcement can access data for purposes beyond protecting against cyberthreats.  He also vowed legislation in this form would not sail to the senate floor without a robust debate.  “Not on my watch will we have a bill like this that slides right in,” Wyden said.

The panel following Senator Wyden’s remarks was moderated by Politico’s cybersecurity reporter, Tal Kopan, and included Greg Nojeim (Center for Democracy & Technology), Robyn Greene (New America’s Open Technology Institute), and Bijan Madhani (CCIA) as discussants who debated the authorizations and liability protections present in each piece of legislation.  Tal Kopan opened the panel with a short discussion of the looming debate in the Senate of its Intelligence Committee’s cybersecurity bill, the Cybersecurity Information Sharing Act, and went on to pose a series of questions for the discussants.

Bijan Madhani, acting in the role of the House Intelligence staffer who had a last-minute conflict, began the substantive discussion by detailing why information sharing legislation was needed, and how it transpired that two complementary bills, the Protecting Cyber Networks Act and National Cybersecurity Protection and Advancement Act, would soon be passed on the House floor.  A key incentive for private sector information sharing that has been consistently present but continually evolving in such legislation over the years has been liability protection for companies that choose to engage in the voluntary programs.

During the discussion, Robyn Greene focused on the broad use authorizations and minimal requirements personally identifiable information that characterize each bill.  She also noted her wariness of authorizing information sharing programs without sunset provisions, saying Congress needs a forcing function to engage in oversight.  Amendments providing for a seven year sunset of the information sharing legislation were attached to the two House bills by the end of the day.

Greg Nojeim focused on the defensive measures for active network protection and monitoring that all three bills authorized companies to use, and also discussed the real-time sharing of information from the bills’ common designated civilian agency, DHS, to other relevant federal agencies, including those in the intelligence community.  He highlighted that the White House, in its Statement of Administration Policy, also voiced its concern that any information collected can be shared with any relevant government agency.  As to the defensive measure authorization, Greg discussed the likelihood of unintended collateral harm to networks and computers not belonging to the private sector entities employing such tools.

Bijan Madhani noted later that CCIA itself has complex views on the cybersecurity information sharing legislation currently being debated in Congress.  While CCIA favors efforts to improve the security of critical public and private networks and infrastructure, it also recognizes that the privacy interests and trust of Internet users are twin paramount concerns, and that all three of these bills should see improvement in that regard as they progress through Congress.

Related Articles

EU Council e-Privacy Agreement Paves Way for Final Negotiations, CCIA Urges Further Improvements

Feb 10, 2021

Brussels, BELGIUM — The EU Member States (“EU Council”) today approved a joint position on the e-Privacy Regulation, originally proposed in 2017. This decision paves the way for final negotiations with the European Parliament and the European Commission. The proposed e-Privacy Regulation entails new privacy rules that will affect how Europeans consume online services from…

New EU Cybersecurity Rules Should Promote Security Mitigation, Avoid Compliance Red Tape

Dec 16, 2020

Brussels, BELGIUM — The European Commission published today a legislative proposal to update the 2016 Network and Information Security Directive.  The proposal aims to reduce regulatory inconsistencies across the EU’s internal market and it encourages security information sharing to help companies effectively address future cybersecurity risks. But the proposal also suggests that cloud computing providers,…