The fear of lawsuits has – for a very long time – been among the primary reasons that public-private cyber-threat information sharing practices have never really materialized. This failure is reality in spite of repeated calls for such partnerships year after year from government and industry leaders. A new draft bill from the Senate Intelligence Committee could – should it ever become law – eliminate such fears.
The bill, which is reportedly under Senate revision ahead of formal consideration, would “authorize private entities to prevent, investigate, and mitigate cybersecurity threats” in addition to authorizing “the sharing of cyber threat indicators and countermeasures” with the government.
In other words, the draft bill co-authored by Sen. Dianne Feinstein (D-Calif.), chairman of the intelligence committee, and the committee’s ranking Republican, Sen. Saxby Chambliss (R-Ga.), would grant relative immunity to any non-foreign, private entity seeking to share threat-related information with the federal government.
On the one hand, privacy protections built into the bill are vague. Broadly speaking, the bill calls on those who would act under its authority to make an effort at safeguarding the privacy of any individuals associated with the information to be shared.
Specifically, it requires that people reporting and receiving such information “limit [its] impact on privacy and civil liberties,” “limit the receipt, retention, use and dissemination of cyber threat indicators associated with specific persons,” “include requirements to safeguard cyber threat indicators that may be used to identify specific persons from unauthorized access or acquisition,” and “protect the confidentiality of cyber threat indicators associated with specific persons to the greatest extent practicable” while making sure that recipients understand that they may only use any information given to them for purposes authorized under the bill.
“This is definitely a step back,” American Civil Liberties Union legislative counsel and policy adviser, Gabe Rottman, told the Washington Post. “The problem is the definitions of what can be shared and who it can be shared with are too broad. In this draft, companies can share data with the military and the NSA. Given the past revelations, I think it’s important to keep this information in civilian hands.”
Thus, Rottman, who received a copy of the draft now hosted on the Post website, reveals a second objection to the bill: namely that private entities may choose which government agency they would like to share their threat information with.
This is, of course, a touchy subject given a year’s worth of National Security Agency surveillance revelations indicating that U.S. intelligence groups have exploited security vulnerabilities and other threat information in order to spy on foreign and domestic targets.
As Rottman notes, there is concern – whether grounded in fact or driven by something more conspiratorial – that cyber-threat information shared with national defense agencies may end up being used for purposes related to foreign intelligence or domestic law enforcement. In other words, advocates are concerned that information ascertained in the name of defense may end up being used for offensive purposes.
The bill, which you can read here [PDF], is only a draft, so changes to its current composition are inevitable should the it ever make it out of its committee and chamber.