The Obama administration is trying to get out in front of the debate over the information sharing aspects of one of the cybersecurity bills up for debate in the House Thursday.
“While we have been talking for a long time about information sharing — we think information sharing is very important — there is more we can do in the government with the private sector and the private sector amongst themselves, but clearly the issues we look at relative to the vulnerabilities in critical infrastructure, they cannot be fully addressed by information sharing measures alone,” said a senior administration official during a conference call Monday with reporters.
“The critical infrastructure is only as strong as its weakest link,” the official continued. “We have to identify those components in the critical infrastructure, when they occur, where they occur and remediate them from the outset. Doing it in sort of a half fashioned manner with legislation that only encourages better information sharing doesn’t take us where it needs to be as far as protecting critical infrastructure.”
The House is expected to vote on four cyber bills Thursday, but just debate the Cyber Intelligence Sharing and Protection Act (CISPA). Reps. Mike Rogers (R-Mich.), chairman of the Intelligence Committee, and Dutch Ruppersberger (D-Md.), co-author and ranking member of the committee, introduced the bill earlier this month.
CISPA to be updated on the floor
The two leaders then introduced a substitute amendment late last week that waters down the information sharing requirements after some privacy and civil liberties groups expressed concern.
For instance, the Center for Democracy and Technology says CISPA would define information in a broad, almost unlimited way, expand the government’s role in monitoring private-sector communications and shift responsibility to the military for cybersecurity.
Rogers and Ruppersberger were clear in an early April press conference that the military would not play a role in monitoring networks, give companies protection against misuse of information or make information sharing of threats voluntary.
“The bill authorizes the private sector to anonymize or minimize the cyber threat information it voluntary shares,” Rogers said. “Those companies can make that determination, what they think they minimally need to share in order to solve their problems. We think that is also very limiting and encouraging to folks who are concerned about civil liberties protections. There are very strong limitations on the government’s use of this information. It must be protected from disclosure outside the government. The government may not search the cyber threat information for non-cyber or national threats information.”
And today, 18 House Democrats sent a letter to Rogers and Ruppersberger expressing concerns over CISPA, including who would have access to the information and what that information would be.
The White House prefers its own version of rules for information sharing in a cybersecurity proposal it sent to Congress last May.
Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine), Jay Rockefeller (D-W.Va.) and Dianne Feinstein (D-Calif.) introduced the Cybersecurity Act of 2012 in February, which includes much of what the administration proposed.
The bill’s main sticking points are around information sharing with the private sector and requirements for critical infrastructure providers to protect their systems against cyber attacks.
A second administration official said there needs to be at least four things in any bill to improve information sharing:
Policies and procedures that govern the use of the information: How it’s received, how it’s retained, how it’s disclosed and how it can be used by the government.
Protections on the amount that is retained; Minimization requirements that limit what information received and disclosed is shared with the government.
Adequate protections on that information, and on the handling of that information.
Oversight and accountability measures in place to ensure the sharing and retention of that data is consistent with protections that are part of the law.
White House seeks ‘narrowly tailored’ legislation
“We need legislation that is carefully crafted, that is narrowly tailored to define the types of information that can be shared so that it is focused on the protection of cybersecurity risks and not every conceivable use of private information,” said the second official. “In addition to that, the liability protections need to be carefully tailored so that it encourages good compliance practices, but doesn’t immunize people that don’t adequately protect the information and doesn’t enable the collusion or other things that could happen when you have the private sector sharing information.”
The liability limitations have been a big issue. Under the Rogers-Ruppersberger bill, the private sector could sue the government if an agency wrongly uses the information for anything but cybersecurity or national security threats.
A third administration official said the White House is concerned over liability protections that are too broad and could give a company safe harbor if it’s negligent and loses consumer data.
“The concern is that we have a very carefully developed framework that governs the law of electronic surveillance that has struck a careful balance between legitimate law enforcement access to information on the Internet, and the protection of both customer privacy and critically commercial proprietary information,” said the third official.
“We would be very concerned,” the official added. “And we’ve heard concerns from a number of privacy advocates as well as privacy scholars who have pointed out that if we have a blanket limitation on liability associated with the disclosure of personal information, we are creating a huge hole through this very careful framework on electronic surveillance law that has worked well for decades as a way to set this balance between making sure law enforcement has the ability to investigate crime and national security authorities have the ability to do their jobs, and preserving a trusted Internet for use by the private sector.”