House Panel Offers Cyberthreat Info-Sharing BillLatest Measure Addresses Liability, Privacy Concerns
PCNA, introduced March 24 by leaders of the House Intelligence Committee, would provide liability protections to businesses that share cyberthreat information with the government and furnish safeguards to shield citizens' personally identifiable information that could appear in shared data. The panel is scheduled to hold a markup session not open to the public on March 26, when the bill could be amended and a vote held.
One of the bill's sponsors, Democratic Rep. Adam Schiff of California, says further changes could be made to PCNA in order to gain broader support. "It's my hope that the House takes up this bipartisan bill soon after the House Intelligence Committee advances it, and that we work with the Senate, the White House and outside stakeholders to make any necessary improvements on its way to the president's desk," says Schiff, the ranking member of the committee.
PCNA sponsors say the bill could serve as compromise legislation on cyberthreat information sharing. Unlike a similar bill offered by the Senate Intelligence Committee - the Cybersecurity Information Sharing Act, or CISA - PCNA would provide liability protection for businesses that share cyberthreat indicators with one another and the federal government as long as it does not go through the NSA or the Department of Defense.
In contrast, CISA would allow for sharing of cyberthreat data with DoD and intelligence agencies. A draft bill from the chairman of the House Homeland Security Committee, Mike McCaul, does not address the sharing of cyberthreat information with intelligence agencies, although it doesn't prohibit it. A fourth measure - Cyber Threat Sharing Act, sponsored by Sen. Tom Carper, D-Del. - reflects President Obama's vision of cyberthreat information sharing and would designate information sharing and analysis organizations as the portals for businesses to share threat indicators.
Limits on Sharing
The PCNA's provision limiting the sharing of cyberthreat data is aimed at addressing the concerns of privacy and civil liberties groups that object to the use of shared information for intelligence or law enforcement purposes, which they see as potentially curtailing citizens' privacy and civil liberties.
According to its sponsors, PCNA also would permit the sharing of limited categories of information - cyberthreat indicators and defensive measures - for cybersecurity purposes. The bill defines cyberthreat indicators as data that could identify malicious reconnaissance, ways to defeat security controls, means to cause security vulnerabilities and methods to cause users to enable exploitations. Defensive measures are defined as ways to prevent known or suspected cybersecurity threats or security vulnerabilities.
PCNA also would provide liability protections for companies that share cyber-indicators and defensive measures in good faith. This provision is aimed at addressing one of the objections the Obama administration had with the Cyber Intelligence Sharing Protection Act, or CISPA, which passed the House in each of the two past congresses despite threats of presidential vetoes. The White House, in the veto messages, said CISPA's liability protections were too broad.
Other PCNA Provisions
PCNA, if enacted as written, would:
- Require companies to remove personally identifiable information before they share cyberthreat indicators with the government, as well as require the federal agency receiving cyberthreat indicators to perform a second check to remove PII before sharing the indicators with other relevant federal agencies;
- Strictly limit the business-to-business and business-to-government sharing to cyberthreat indicators and defensive measures to combat a cyberthreat. The legislation would not allow for the sharing of information for non-cyber purposes;
- Impose strict restrictions on the use, retention and searching of any data voluntarily shared by the private sector with the government;
- Permit individuals to sue the federal government for intentional privacy violations in federal court;
- Provide for strong congressional oversight by requiring a detailed biennial inspector general report of the government's receipt, use and dissemination of cyberthreat indicators, as well as having the Privacy and Civil Liberties Oversight Board submit a biennial report on the privacy and civil liberties impact of the law.
Last week, McCaul began circulating his version of cyberthreat sharing legislation known as the National Security Protection Advance Act. On March 12, the Senate Intelligence Committee, meeting in a closed session, overwhelmingly approved CISA (see Senate Intel Panel OK's Info-Sharing Bill).