The latest entrant in the increasingly crowded field of proposed cybersecurity legislation appears to offer adequate protections on personal information as well as appropriate corporate shields. We’ll see.
There is a new entrant in the increasingly crowded field of proposed cybersecurity legislation. The Cybersecurity Information Sharing Act of 2015, (S.754), was introduced by Sen. Richard Burr (R-NC), was introduced in March. In addition to the usual corporate shields for companies sharing information about cyber threats, it appears to offer meaningful protections for personal information and excessive snooping.
There are now—at a quick count—something like 19 cybersecurity bills before Congress, 15 in the House and four in the Senate. And it’s still early in the session.
Sharing probably is essential to effective cybersecurity. Enterprises are doing a better job of monitoring and protecting their own and their customers’ infrastructures, and large amounts of significant data are being gathered. But breaches and compromises appear to be continuing unabated. What is needed is a way to make better use of this information.
Despite a consensus that effective legislation is needed to enable better sharing of threat information among companies as well as between the private and public sectors, session after congressional session have passed without action. There have been a lot of concerns, but the two major sticking points have been:
How to shield companies that share potentially damaging (or embarrassing) information with the government and competitors, and
How to ensure the privacy and rights of citizens whose information is moving across the networks and held in the systems being monitored.
These are thorny issues. On the corporate side, the business community is worried that information sharing could create liabilities or trigger antitrust and other laws intended to prevent corporate collusion, or that sensitive information shared with government would become public. Opponents worry that companies would use the law to shield themselves from legitimate oversight and liability.
Protecting citizen privacy and civil rights also is tough. Spelling out who can do what with which types of information is difficult, and neither companies nor government want to be held to strict requirements and restrictions. Their attitude generally is, “Trust us—have we ever let you down?”
S.754 seems to do a decent job on both sides. A business group, Protecting America’s Cyber Networks Coalition, is urging passage of the bill, so they must be pretty satisfied about the corporate safeguards. And privacy safeguards seem to be spelled out well.
Section 4 is the key area for privacy and civil rights protections. It specifies that information can only be used in cyber defensive activities, which are clearly defined. And cyber threats explicitly do not include action that “solely involves a violation of a consumer terms of service or a consumer licensing agreement.” In other words, it would not be a federal offense to violate the 57-pages of fine print in a Web site’s service agreement.
The bill also makes it clear that permissible defensive measures by government and companies are just that—defensive. They do not include anything that “destroys, renders unusable, or substantially harms and information system or data…”
I’m sure the bill is not perfect. Is it good? Maybe. I’m a layman, not a legislator or lawyer, and I’m sure there are pitfalls I have not considered and loopholes I haven’t noticed. But it looks as if it could be a good starting place.
Of course, even a good bill is not guaranteed passage. The 114th Congress does not seem to be any more serious about passing meaningful legislation than the previous two.