Soon, Senator Harry Reid promises to bring a comprehensive cybersecurity bill before the Senate for consideration. The base draft bill to be considered remains shrouded in secrecy, the subject of urgent, on-going, behind the scenes negotiations. The general intent appears to be the crafting of a single bill that combines aspects of the two major competing Senate bills – the “Rockefeller-Snowe” bill (a product of the Senate Commerce committee) and the “Lieberman-Collins” bill (passed out of the Senate Homeland Security and Government Affairs committee). How much of each bill will be incorporated in the base bill is unknown. So too is the question of whether the base bill will give any deference to the Obama Administration’s legislative proposal (released last May) and whether other bills (Gillibrand-Hatch on cybercrime reporting or Rogers-Ruppersburger from the House on information sharing) will be included in whole or in part. About the only certain thing is that the question of cybersecurity is likely to set a new world record for competing bills with bipartisan co-sponsors. Everyone agrees the problem is important – they just don’t agree at all on what to do about it.
That having been said, the broad outlines of issues that will be discussed as the cybersecurity bill is considered are starting to become clear (though, in the end, some may not make it into the final product). In this post, I want to highlight three areas where we are likely to see significant legislative activity. It may be that these issues are NOT in the base bill (which, by all reports, maybe be a lowest common denominator sort of effort with all the controversy drained out of it).
I plan to follow this up in other posts to examine some issues in more lawyerly depth over the next few days and, of course, to post some thoughts on the cybersecurity bill when it becomes public. For now, however, just some scene-setting highlights.
Information Sharing
One of the principal areas of complaint about the existing legal structures is the perception that a confluence of statutes and rules prevent the private sector and the federal government from sharing information with each other. The view from the private sector is that a host of privacy, telecommunications, and antitrust rules prevent them from sharing information about threats and vulnerabilities with the government and among themselves. The view from government is that there are challenges in sharing classified threat signature information with the private sector without compromising sources and methods. And the view from the privacy and civil liberties NGOs is that authorizing the sharing of information (particularly information that personally identifies an individual) for cybersecurity purposes risks eroding privacy and freedom.
Because of the challenges of squaring these competing demands, it appears that information sharing will be dealt with by way of amendment rather than as part of the base bill. In that context there are likely to be three significant issues where diverging views will need to be reconciled:
- Sharing With Whom and on What Terms? The Obama Administration proposal significantly expands and extends the scope of information that can be shared by the private sector with the Federal government. It then puts the government in the central position of, in turn, pushing that information out to other private sector actors, in effect serving and an information hub. The Administration has affirmatively rejected the idea of enabling private-to-private information sharing – something that many in the private sector think would be more efficient and effective. The House Rodger-Ruppersburger bill, on the other hand, makes private-to-private sharing a centerpiece of its efforts and makes sharing with the Federal government voluntary. So the issue here is mandatory-and-centralized versus voluntary-and-decentralized.
- To What Effect? Another issue that is likely to be considered is whether the game is worth the candle. A recent DoD audit of the first pilot program found mixed results – the operators were reasonably capable of following the sharing rules, but the program provided no more than a 5% improvement in actual performance in thwarting cyber intrusions.
- Liability Protection? No private sector actor is going to share information if doing so would potentially subject it to liability. Both the Obama proposal and the two leading Senate proposals provide protection against liability by preempting inconsistent State or Federal law. Those who fear the expansion of information sharing and who are concerned with the misuse by government of personal information oppose these protections, though it seems to me they are essential to the project if it is to succeed.
Regulation
A second major issue that will need to be resolved is the nature of the “regulatory model” that will be adopted. Under almost every approach, the Federal government is going to take a more directive role in providing network security. The major question that will be addressed is how the new regulatory system will work.
The Senate draft bills tend to take a relatively moderate approach. They, for example, direct the Secretary of Homeland Security to conduct a systemic assessment of the risk to each critical infrastructure sector and instruct the National Institute of Standards and Technology to develop protection guidelines. Based on those, we might see DHS develop performance standards for protecting particularly vital infrastructure and a process for third-party audits of how the standards are being met. Even these modest steps have, notably, sparked some concern in the tech industry – a prospect that must give the sponsors some pause after the recent SOPA/PIPA debate.
By contrast, under the Administration’s proposal, DHS would take a more active regulatory role in managing cybersecurity in the private sector. Working with industry, DHS would identify certain core critical infrastructure operators (presumably things like the electric grid and the financial markets) and then develop a priority list of the most important cyber threats and vulnerabilities for those operators.
Using those priority lists, the infrastructure operators would be required to develop their own plans to address cyber threats and have them assessed by a third-party commercial auditor. Some operators would also be required to report to the Security and Exchange Commission and certify that their plans are sufficient. If DHS decided that a security framework adopted by a critical infrastructure sector was not adequate, DHS would, under the Administration’s proposal, be authorized to work with NIST to mandate a modified framework. Finally, DHS would be authorized to publicly name critical infrastructure providers whose plans it deemed inadequate. Indeed, in the end, the Administration proposal seems to hold out the specter of a federal government dictating security standards to private industry.
Criminality
Finally, there is likely to be serious discussion surrounding the Administration’s proposal to expand the criminal laws applicable to cybersecurity breaches. Central to these considerations is 18 USC 1030, the Computer Fraud and Abuse Act. That Act starts from an unobjectionable premise – there ought to be a law that makes it a crime to hack into someone else’s computer without their permission – but it has gone off the rails. The Administration proposes to expand the law and, in particular, to make violation of the CFAA a predicate crime for charges under the Racketeering Influenced and Corrupt Organizations Act (RICO). So expanded, the CFAA would become a powerful criminal tool and would also enable civil damage actions against hackers for treble damages.
Many in the privacy and civil liberties communities (including, full disclosure, me, though I am not normally thought of as a member of those groups) are concerned about the proposed expansion of the law and, in fact, urge its limitation. There has already been a skirmish over the criminal provisions of the CFAA in the Senate Judiciary Committee.
The problem begins with the language of the CFAA (18 U.S.C. § 1030) which makes it a crime to access a computer “without” or “in excess” of “authorization.” In some ways, both of these make sense, especially if you substitute the word “permission” for the legal term “authorization.” If I haven’t given you permission to use my computer at all or if I have only given it to you for a limited purpose and you go rooting around in my cyber-files, that’s something that clearly ought to be punished.
But how do we determine what the limits of your “authorization” are? Since the term is not defined in the law, the courts have looked to contractual agreements that govern the use of a computer or internet system. These agreements are known as the “Terms of Service” or “ToS.” They are those long, detailed legal terms that everyone clicks on to “accept” before they sign up for, say, a Facebook account. But, this means that private corporations can in effect establish what conduct violates federal criminal law when they draft such policies.
And those polices are often very broad. For example, many companies limit your use of the internet for personal purposes. Spending excessive time checking your fantasy football team roster is probably a bad idea – but under the statute, it might be a Federal crime if your employer has a policy prohibiting the activity. Another example was the prosecution of Lori Drew, who was charged with violating the My Space rules against using a pseudonym; again, a really bad idea, but perhaps not a Federal offense. When the issue comes up for consideration, the opponents will argue that the better solution would be to let the civil law deal with civil matters and not rely on Federal criminal law for contract disputes.