Cybersecurity Information Sharing Panel: Event Recap

BY Bijan Madhani
April 30, 2015

Last Thursday, CCIA hosted a panel discussion on a host of cybersecurity information sharing bills under debate in Congress.  The event, which was opened by remarks from Senator Ron Wyden, D-Ore., aimed to capture the tension between the need for a robust information sharing regime between the private sector and government, and the privacy interests of Internet users.

In his opening, Senator Wyden did not hold back, telling attendees that without strong privacy protections, cybersecurity information sharing legislation quickly becomes surveillance legislation.   Wyden said he is concerned that current cybersecurity legislation proposes that law enforcement can access data for purposes beyond protecting against cyberthreats.  He also vowed legislation in this form would not sail to the senate floor without a robust debate.  “Not on my watch will we have a bill like this that slides right in,” Wyden said.

The panel following Senator Wyden’s remarks was moderated by Politico’s cybersecurity reporter, Tal Kopan, and included Greg Nojeim (Center for Democracy & Technology), Robyn Greene (New America’s Open Technology Institute), and Bijan Madhani (CCIA) as discussants who debated the authorizations and liability protections present in each piece of legislation.  Tal Kopan opened the panel with a short discussion of the looming debate in the Senate of its Intelligence Committee’s cybersecurity bill, the Cybersecurity Information Sharing Act, and went on to pose a series of questions for the discussants.

Bijan Madhani, acting in the role of the House Intelligence staffer who had a last-minute conflict, began the substantive discussion by detailing why information sharing legislation was needed, and how it transpired that two complementary bills, the Protecting Cyber Networks Act and National Cybersecurity Protection and Advancement Act, would soon be passed on the House floor.  A key incentive for private sector information sharing that has been consistently present but continually evolving in such legislation over the years has been liability protection for companies that choose to engage in the voluntary programs.

During the discussion, Robyn Greene focused on the broad use authorizations and minimal requirements personally identifiable information that characterize each bill.  She also noted her wariness of authorizing information sharing programs without sunset provisions, saying Congress needs a forcing function to engage in oversight.  Amendments providing for a seven year sunset of the information sharing legislation were attached to the two House bills by the end of the day.

Greg Nojeim focused on the defensive measures for active network protection and monitoring that all three bills authorized companies to use, and also discussed the real-time sharing of information from the bills’ common designated civilian agency, DHS, to other relevant federal agencies, including those in the intelligence community.  He highlighted that the White House, in its Statement of Administration Policy, also voiced its concern that any information collected can be shared with any relevant government agency.  As to the defensive measure authorization, Greg discussed the likelihood of unintended collateral harm to networks and computers not belonging to the private sector entities employing such tools.

Bijan Madhani noted later that CCIA itself has complex views on the cybersecurity information sharing legislation currently being debated in Congress.  While CCIA favors efforts to improve the security of critical public and private networks and infrastructure, it also recognizes that the privacy interests and trust of Internet users are twin paramount concerns, and that all three of these bills should see improvement in that regard as they progress through Congress.

Related Articles

CCIA Welcomes Advocate General Opinion on Validity of EU Data Flow Instrument

Dec 19, 2019

Brussels, BELGIUM — Advocate General Saugmandsgaard Øe has issued a non-binding opinion in response to a case involving data transfers that are used to process information like credit card transactions or insurance claims. The case examined whether so-called Standard Contractual Clauses provide sufficient protection to EU citizens’ data when transferred outside the European Union. Standard…

CCIA Signs Joint OTI Letter Supporting Encryption

Dec 10, 2019

Washington — A day before a Senate Judiciary hearing on encryption, the Computer & Communications Industry Association joined 100 other organizations from around the world in a New America Open Technologies Institute letter  to officials in Australia, the U.S. and U.K expressing concern about their misconceptions about encryption.  CCIA, which represents device makers, internet services…

CCIA Asks Senate Judiciary To Extend And Strengthen USA FREEDOM Act Protections

Nov 5, 2019

Washington — The Senate Judiciary Committee holds its first hearing Wednesday on reauthorizing the USA FREEDOM Act of 2015. The Computer & Communications Industry Association is calling on senators to maintain due process and civil liberties protections for US citizens under current surveillance authority and to use this periodic reauthorization to re-evaluate whether the law…