Last Thursday, CCIA hosted a panel discussion on a host of cybersecurity information sharing bills under debate in Congress. The event, which was opened by remarks from Senator Ron Wyden, D-Ore., aimed to capture the tension between the need for a robust information sharing regime between the private sector and government, and the privacy interests of Internet users.
In his opening, Senator Wyden did not hold back, telling attendees that without strong privacy protections, cybersecurity information sharing legislation quickly becomes surveillance legislation. Wyden said he is concerned that current cybersecurity legislation proposes that law enforcement can access data for purposes beyond protecting against cyberthreats. He also vowed legislation in this form would not sail to the senate floor without a robust debate. “Not on my watch will we have a bill like this that slides right in,” Wyden said.
The panel following Senator Wyden’s remarks was moderated by Politico’s cybersecurity reporter, Tal Kopan, and included Greg Nojeim (Center for Democracy & Technology), Robyn Greene (New America’s Open Technology Institute), and Bijan Madhani (CCIA) as discussants who debated the authorizations and liability protections present in each piece of legislation. Tal Kopan opened the panel with a short discussion of the looming debate in the Senate of its Intelligence Committee’s cybersecurity bill, the Cybersecurity Information Sharing Act, and went on to pose a series of questions for the discussants.
Bijan Madhani, acting in the role of the House Intelligence staffer who had a last-minute conflict, began the substantive discussion by detailing why information sharing legislation was needed, and how it transpired that two complementary bills, the Protecting Cyber Networks Act and National Cybersecurity Protection and Advancement Act, would soon be passed on the House floor. A key incentive for private sector information sharing that has been consistently present but continually evolving in such legislation over the years has been liability protection for companies that choose to engage in the voluntary programs.
During the discussion, Robyn Greene focused on the broad use authorizations and minimal requirements personally identifiable information that characterize each bill. She also noted her wariness of authorizing information sharing programs without sunset provisions, saying Congress needs a forcing function to engage in oversight. Amendments providing for a seven year sunset of the information sharing legislation were attached to the two House bills by the end of the day.
Greg Nojeim focused on the defensive measures for active network protection and monitoring that all three bills authorized companies to use, and also discussed the real-time sharing of information from the bills’ common designated civilian agency, DHS, to other relevant federal agencies, including those in the intelligence community. He highlighted that the White House, in its Statement of Administration Policy, also voiced its concern that any information collected can be shared with any relevant government agency. As to the defensive measure authorization, Greg discussed the likelihood of unintended collateral harm to networks and computers not belonging to the private sector entities employing such tools.
Bijan Madhani noted later that CCIA itself has complex views on the cybersecurity information sharing legislation currently being debated in Congress. While CCIA favors efforts to improve the security of critical public and private networks and infrastructure, it also recognizes that the privacy interests and trust of Internet users are twin paramount concerns, and that all three of these bills should see improvement in that regard as they progress through Congress.