Governance & Risk Management , Information Sharing , Legislation & Litigation
Seeking Compromise on Info-Sharing BillCrafting a Measure to Get Businesses to Share Threat Data
Passage of cyberthreat information-sharing legislation could hinge on how the measure is presented to Congress, and its fate could be tied to a massive omnibus appropriations bill to fund the federal government for the remainder of fiscal 2016.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
But first, a refresher. Twice in April, the House passed cyberthreat information-sharing legislation - one bill from the Intelligence Committee, the Protecting Cyber Networks Act; the other originating in the Homeland Security Committee, the National Cybersecurity Protection Advancement Act (see House Oks 2nd Cyberthreat Info-Sharing Bill). In October, the Senate approved a version of the bills drafted by its Intelligence Committee, the Cybersecurity Information Sharing Act (see Senate Passes Cybersecurity Info-Sharing Bill).
Incentives to Share Data
All the bills have the same central goal: to establish a process to share cyberthreat information between industry and government and among businesses, as well as provide incentives to businesses to get them to do so. The bill that originated in the House Homeland Security Committee provides more privacy and civil liberties protections to citizens - such as requiring the scrubbing of personally identifiable information before sharing data - than do the two measures penned by the Senate and House intelligence committees. The Homeland Security Committee measure also designates a civilian agency - the Department of Homeland Security - to be the government entity to manage information sharing.
If you recall your high school civic lessons, when similar but not identical bills pass each of the chambers, a conference committee is usually formed to work out the differences. But in this case, no formal conference committee has been established. Instead, leaders of the three committees have been exchanging copies of a proposed wording of the revised compromise legislation that one Senate staffer says doesn't emphasize privacy and civil liberties protections. Copies of the compromise language are being shared with the White House.
Privacy Advocates Raise Concerns
A draft of the compromise legislation has not been made public. But a coalition of privacy and civil liberties groups that oppose the current draft say, based on public reports, it would:
- Create a loophole to let the president remove DHS as the lead government entity to manage cyberthreat information sharing;
- Reduce privacy protections for Americans' personal information;
- Redefine the term "cyberthreat" to facilitate the prosecution of crimes that are not basically cyber in nature;
- Broadly expand liability protections for businesses to disclose cyberthreat information;
- Pre-empt state, local and tribal disclosure laws on any cyberthreat information shared by or with a state, tribal or local government; and
- Eliminate a directive to ensure data integrity.
"These changes would render it an unacceptably compromised piece of legislation that would be both unhelpful for cybersecurity and dangerous to Americans' civil liberties," says a letter sent earlier this week from the coalition of groups to President Obama and congressional leaders.
Pledge to Provide Safeguards
Rep. Adam Schiff, the California Democrat who co-sponsored the House Intelligence Committee bill, said in an email sent to reporters that he believes the compromise bill "will have the strongest privacy safeguards of any cyber bill to date."
House Homeland Security Committee Chairman Michael McCaul, R-Texas, said he's negotiating the privacy terms in the bill, pointing out that a final sticking point could be the management of the portal used to share cyberthreat information.
"You don't want to share information with somebody that can either prosecute or spy on you," McCaul told reporters, according to TheHill.com.
McCaul, speaking earlier this week at a breakfast sponsored by the Christian Science Monitor, said he's "optimistic" negotiators could "get to a middle ground" on a final bill. "It's critical that we pass it," he said. "And the White House has been a very good partner in trying to get this accomplished."
Congress is in session through Dec. 18. After that, it doesn't return to Washington until Jan. 5.
Talk on Capitol Hill, according to various reports, is that the cyberthreat information legislation could be attached to the omnibus spending bill to fund the federal government through Sept. 30; a vote on that measure could occur in the coming days. Being tied to an appropriations bill would make it harder for privacy advocates in the Senate to get the 41 votes needed to filibuster - or block a vote - on the cyberthreat information-sharing legislation.
If the cyberthreat information-sharing legislation is not a rider on the spending measure, it likely would not come up for a vote until early next year, Politico reports, citing House Intelligence Committee Chairman Devin Nunes, R-Calif.
One thing is almost certain: the final language of the legislation will be decided by a handful of lawmakers with little transparency. That's not good for our democracy.