Why Congress Can't Pass Cyber LawCompromise Absent Over Scope of Liability Protection
The No. 1 reason Congress, after five years of intensive efforts, has yet to enact comprehensive cybersecurity legislation is differences over how much liability protection to grant businesses to get them to share cyberthreat information.
See Also: You've Got BEC!
"The one issue that has made it difficult for us to put together any kind of comprehensive cybersecurity security has been our inability to agree on what kind of liability is appropriate," Sen. Tom Carper, the Delaware Democrat who chairs the Senate Homeland Security and Governmental Affairs Committee, said during a March 26 hearing he called on cyberthreat information sharing between the federal government and the private sector. "If we can solve this one, I think we'll move a long way to where we need to go in this arena."
The one issue that has made it difficult for us to put together any kind of comprehensive cybersecurity security has been our inability to agree on what kind of liability is appropriate.
But the barrier for agreement on liability protection - one of the few cybersecurity issues where a partisan divide exists - remains a high one to clear as the attitudes of the Democratic-run administration and its supporters in the Senate and Republican lawmakers seem rigid.
Simply, the argument against granting the private sector broad liability protection is that businesses could potentially exploit it to collude on other matters.
Supporters of more targeted liability protection, mainly Democrats, contend it would provide sufficient protection to enable businesses to share cyberthreat information. But proponents of broad liability protection, mainly Republicans, argue that businesses would not feel adequately protected if they were granted only limited liability because their lawyers would caution them that they could still be subject to legal action.
A Matter of Trust
The ranking Republican member of the committee, Tom Coburn of Oklahoma, says there's an assumption in government that businesspeople are going to do something wrong and not do something right. Coburn envisions a situation where two Internet service providers are sharing cyberthreat information when a Justice Department antitrust division lawyers says, "'Hey, wait a minute, you have to prove that was necessary for cybersecurity rather than you guys colluding to keep somebody out.'
"The ISPs are talking back and forth without immunity because it's the best thing to do for the country to protect us. And yet, what we're finding is resistance here to give them that kind of broad legal liability [protection] because we don't trust them to do what's best for the country as a whole and we think that they're always self-centered; they're only going to do what's good for them and we've already seen in the cyber-arena that ain't true."
But Phyllis Schneck, on the job for the past six months as the Department of Homeland Security's top cybersecurity official, told the committee that her view on liability protection has evolved since leaving her previous position as a top executive at the IT security provider McAfee, now Intel Security.
"I think that the targeted liability protection that the administration is looking at right now would help us because it would protect companies in the instances defined [regarding cyberthreats] to share information. They wouldn't get hurt by that; they wouldn't be held liable nor would their shareholders," said Schneck, DHS deputy undersecretary for cybersecurity.
Company or Country?
While working in the private sector, Schneck related instances in which she shunned the advice of her company's lawyers and shared information. "It was company or country," she said. Later, she added: "I could have lost my job if something went wrong." But Schneck said she trusted those in government which whom she shared information, knowing they would use it only to prevent other cyber-incidents. Liability protection - even limited protections - would help, she said. "Not liability for everything on the planet but liability protection for that case. That's what the administration means by targeted liability."
Twice, the Obama administration had threatened to veto House-passed legislation that would provide broad liability protection (see White House Threatens CISPA Veto, Again and Obama Threatens to Veto Cybersecurity Bill). "This broad liability protection not only removes a strong incentive to improving cybersecurity, it also potentially undermines our nation's economic, national security, and public safety interests," the administration said.And a conversation I had with the White House's top cybersecurity official suggests that the administration won't compromise on this matter. "I wouldn't want to underestimate the difficulty of passing legislation in the current environment," said Michael Daniel, special assistant to the president and White House cybersecurity coordinator (see Top Obama Adviser Speaks Mind on Cyberthreats). "The issues surrounding information sharing, privacy issues, liability protection - all of those are incredibly complicated issues for a very good reason. And, there are very good arguments on both sides that we have to balance in that space. But, I think that just focusing only on the legislation is probably is not really where we want to go entirely. What we want to look at is what we can do to improve information sharing short of requiring legislation."
Daniel's words suggest that the administration isn't about to give on liability protection. If the White House can't get its way on the issue, it will pursue other means to try to get more cooperation from businesses in sharing cyberthreat information.
"The Department of Justice has existing guidance related to how businesses can share cybersecurity information sharing," Daniel said. "Maybe we need to be clarifying or updating that guidance. There are other areas where we probably can make progress in without getting the legislation to do that."
Perhaps so, but having liability protection codified to get business to share cyberthreat information would make us all feel a lot safer in cyberspace.