McCaul Circulates Cyberthreat Info-Sharing BillDraft Legislation Would Offer Broad Liability Protections
Draft legislation from Rep. Mike McCaul, R-Texas, aimed at incentivizing businesses to share cyberthreat information with the U.S. federal government is "marginally better" in regards to privacy protections than a similar bill that passed the Senate Intelligence Committee in a secret session earlier this month, a privacy advocacy group says.
McCaul, who chairs the House Homeland Security Committee, late last week issued draft legislation, titled the National Cybersecurity Protection Advancement Act, that would provide broad liability protections to businesses that voluntarily share cyberthreat information. He says his bill would furnish privacy and civil liberties protections to citizens whose personal data might be exposed in cyberthreat information shared with the government and other businesses.
The congressman unveiled his legislative proposal a day after the Senate Intelligence Committee released late last week the text of the Cybersecurity Information Sharing Act, which the panel overwhelmingly approved March 13 in a secret session.
"Compared to CISA, [McCaul's measure] is marginally better, but there are still core privacy concerns with the bill, including new authorities to spy on users and launch countermeasures," says Mark Jaycox, legislative analyst for the Electronic Frontier Foundation. "In addition, it is probably ineffective because companies are granted broad immunity and all the information is secret. So how will we ever know how successful these reasonable efforts are?"
'Reasonable Efforts' to Strip PII
What makes McCaul's bill marginally better, Jaycox says, is that it uses a similar model to one proposed by President Obama that is reflected in legislation sponsored by Sen. Tom Carper, D-Del., requiring companies to make "reasonable efforts" to strip personally identifiable information from shared threat information.
Carper's bill, S. 456, would limit liability safeguards to threat information shared with DHS's National Cybersecurity and Communications Integration Center known as NCCIC and information sharing analysis organizations, or ISAOs, that would be established by industry with government approval. Because Republicans control both houses, Carper's bill is unlikely to advance.
Though privacy and civil liberties groups tend to favor more of the safeguards found in Carper's bill, some advocates question the need for any cyberthreat information sharing legislation. "All of them are largely redundant," Jaycox says, noting that President Obama signed an executive order in February expanding current information sharing programs (see: President Obama Grapples With Cyber Challenges). However, Obama, many lawmakers and business groups say some businesses would be reluctant to share voluntarily cyberthreat information without changing U.S. law to provide liability protection, something the president cannot do on his own.
Jaycox and other civil liberties and privacy advocates have characterized CISA as a "surveillance" bill. "This bill seems as much about surveillance as it is about cybersecurity: Everything a company shares with the government under the cybersecurity umbrella can be used for law enforcement purposes that present no imminent threat and are completely unrelated to cybersecurity," says Greg Nojeim, director of the Center for Democracy and Technology's Freedom, Security and Technology Project.
McCaul's draft bill doesn't prohibit companies from sharing cyberthreat information with law enforcement and intelligence agencies. But unlike CISA, it does not set up a formal mechanism for the Department of Homeland Security to take cyberthreat information it receives from the private sector and share it with intelligence agencies.
McCaul's bill designates DHS's NCCIC as the portal that businesses and government would use to share cyberthreat information. McCaul maintains DHS offers added privacy protections. "Such built-in privacy oversight is an important reason why DHS is the leading civilian interface for these exchanges," he said in a speech last week (see McCaul to Unveil Threat Info-Sharing Bill). "In fact, privacy advocates have already endorsed NCCIC's role as an information sharing portal."
As for CISA, CDT's Nojeim contends the Senate bill too broadly defines how information can be shared, to include law enforcement measures to battle identity fraud, identity theft, espionage, serious assaults, carjacking with intent to injure, extortion, arson, crimes involving firearms use or possession, bank robberies, drug robberies and many other crimes. "Information shared for cybersecurity reasons should only be used for cybersecurity," he says.
Limited Hack Back Allowed?
CISA and McCaul's bill also would redefine the term "countermeasures" as "defensive measures" and clearly prohibit attacked companies from taking destructive retaliatory action against their assailants. Still, such a provision could allow a limited form of hack-back, in which a victim launches a cyber-attack against the attacker. "This means that hacking back is likely permitted in the form of getting in and watching the intruder from the intruder's network or system," says David Coher, who follows cybersecurity lawmaking as principal for reliability and cybersecurity at Southern California Edison Co., one of the nation's largest electric utilities.
EFF's Jaycox says the defensive-measures definition in CISA fails to clarify what restriction would be placed on companies contemplating hacking back. "The bill may allow such actions as long as they don't cause substantial harm (but) leaves the term 'substantial' undefined," he says. "If true, the defensive measures clause could increasingly encourage computer exfiltration attacks on the Internet, a prospect that may appeal to some active-defense cybersecurity companies, but does not favor the everyday user."
Carper's bill does not address countermeasures or defensive measures.
CISA and McCaul's bill provide broad civil and criminal liability protections for companies that voluntarily decide to participate in cyberthreat sharing with the government and with each other under provisions of the legislation.
Business groups seek broad liability protections to prevent lawsuits based on information they share. McCaul's bill says any company that participates in the voluntary program to share cyberthreat information would be protected from such legal action as long as they don't engage in willful misconduct or gross negligence in sharing the threat data.
Awaiting White House Reaction
In the last two congresses, the White House had threatened a presidential veto of cyberthreat sharing information legislation that had liability protection language similar to CISA and McCaul's bill, contending those safeguards were too broad. The administration usually does not issue a state of administration policy threatening a veto until shortly before either the House or Senate are about to vote on a bill it opposes.
Another cyberthreat information sharing bill is expected to be introduced by the leaders of the House Intelligence Committee in the coming days. A vote by either or both houses on one or more of the cyberthreat sharing measures backed by the Republicans could come as early as next month when Congress returns from its Easter break.