Draft Bill Raises Privacy ConcernsPanel Urged to Safeguard Personally Identifiable Information
Draft legislation establishing a public-private sector National Information Sharing Organization received generally favorable reviews from a panel of witnesses testifying before a House panel on Tuesday.
But witnesses before the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies pointed to specific provisions in the draft that would establish a quasi-government agency to share cyber-threat information they feel should be examined more critically, including how personally identifiable information would be treated.
The not-for-profit National Information Sharing Organization would share cyber-threat information among various government and private-sector constituencies and would consist of representatives from federal, state and local governments, businesses representing the nation's critical infrastructure (see Defining Critical Infrastructure) as well as from seven specific sectors - including banking and healthcare - and the privacy and civil liberties communities (see Draft Bill Eyes Strong DHS Role in Cybersecurity). The draft also would give more responsibilities to the Department of Homeland Security in leading the federal government's cybersecurity efforts.
The draft legislation, proposed by Subcommittee Chairman Daniel Lungren, R-Calif., should provide more safeguards to citizens' privacy, urged Gregory Nojeim, director of the Project on Freedom, Security & Technology at the Center for Democracy & Technology, a not-for-profit public interest group.
Lawmakers should carefully define cyber-threat information that can be shared with or through NISO, Nojeim said. "It is not necessary to run a bulldozer through existing laws that protect privacy and other societal values with a provision permitting the sharing of broadly defined cyber-threat information notwithstanding any law," he said. "Such an open-ended exception would be damaging to privacy and would likely have adverse unintended effects."
That's especially true of personally identifiable information, Nojeim said. "When cyber-threat information includes PII or communications content that is not necessary to identify and respond to the threat, such information need not, and should not be shared, and the bill should so provide," he said.
In an interview with Bloomberg News after the hearing, Lungren said he would incorporate more privacy protections in the bill based on Nojeim's testimony. He told the news service that he intends to formally introduce the bill next week and bring it for a vote by the panel in January.
Analyzing the structure of the National Information Sharing Organization, Congressional Research Service Analyst Kevin Kosar testified that the cost of such quasi-governmental entities would be reduced accountability to federal government direction. That isn't necessarily a bad situation, Kosar said. "A frequent criticism of federal governmental entities - such as agencies - is that they are too responsive to diverse federal oversight authorities," he said. "Their efforts to satisfy the demands of diverse stakeholders may result in underperformance of an agency's general or national policy objectives. One of the arguments for establishing a quasi-governmental entity is the intention that it operates less like a governmental entity and more like a private firm."
Still, he said, it's difficult to anticipate how predictably the proposed NISO would behave due to its ambiguous nature. The draft legislation for NISO does not explicitly state whether it is a governmental entity or a private sector entity. "By virtue of the provision that the entity should charter itself, it might be assumed that it is intended to be private," Kosar said.
Yet, he pointed out, NISO has the tenor of a federal agency because the draft would forbid federal employee from knowingly disclosing information regarding a cyber threat. Violators could be removed from their positions, fined and imprisoned.
Lungren, in the interview, said he would clarify that the clearinghouse would be civilian run.
Impact on SCCs, ISACs
In her testimony, Cheri McGuire, a vice president at security vendor Symantec, endorsed the idea of a NISO, but cautioned that it shouldn't interfere what she characterized as the good work performed by sector coordinating councils and information sharing and analysis centers.
"The mandate within the structure of the NISO that the government must share information is a strong step in the right direction," said McGuire, who was testifying on behalf of the Business Software Alliance. "However, questions remain about how we will continue to utilize the existing entities under the proposed NISO framework. This is important given the significant time and resources that companies have invested in the SCCs and ISACs."