In two earlier posts I’ve focused on some of the particular issues that may arise during the Senate’s consideration of a comprehensive cybersecurity bill. The focus on the Senate is apt, inasmuch as Senator Reid has promised to bring a bill to the floor for consideration in the coming weeks.
But, as we wait for the debate on the Senate floor to begin in earnest, we should not disregard the action in the House of Representatives, where two competing bills vie for attention. One, the Rogers-Ruppersberger bill (H.R. 3523), is the product of the House Select Committee on Intelligence and was passed out of that Committee on a 17-1 vote. The other, (H.R. 3674) goes by the acronym of the PRECISE Act (Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act, of course). It is authored by Congressman Lungren, and has bipartisan support in the House Homeland Security Committee, where it will soon be considered by the full committee. The similarities and differences between them are instructive in illuminating some of the issues of concern in the cybersecurity debate.
Who Is In Charge: By far the most salient difference between the two bills (both from a political and a practical perspective) is reflective of their provenance, Congressional committee jurisdiction rules and, inevitably, gentle Executive Branch turf wars.
H.R. 3523, coming as it does from the Intelligence Committee, gives a leading role to the Director of National Intelligence. He is responsible for establishing procedures to broadly share cyber threat information with the private sector. The private sector, in turn, is authorized to share cybersecurity information both amongst themselves and with the Federal government (though exactly who in the Federal government is neither mandated nor specified).
By contrast, H.R. 3674 gives pride of place to the Secretary for Homeland Security. DHS is given responsibility for maintaining a clearing house of cyber threat information and disseminating that information broadly within the Federal government and to the private sector. Clearly, the choice between DHS or DoD/NSA as the principal interlocutor between the Federal government and the private sector is a choice fraught with political tension and practical effect.
Private Sector Sharing: Interestingly, and creatively (though I am pleased to say that the idea is quite similar to one I wrote about a couple of years ago) H.R. 3674 also creates a non-profit private sector corporation to manage the private-to-private aspects of cyber threat information sharing. The new “National Information Sharing Organization” would be managed by a joint public-private board of directors with additional representation from privacy and civil liberties NGOs. It would be charged with enabling private-sector cyber threat information sharing – but only with significant privacy protections.
H.R. 3523 takes a different approach. It simply authorizes private-to-private sharing among a defined class of cybersecurity providers without the bureaucracy of a new organization. Under its provisions, review and oversight of the information sharing program would be delegated to the Privacy and Civil Liberties Oversight Board (an entity created by legislation in 2004 which has yet to become operational). Here, the “minimalist” approach of the Rogers-Ruppersberger bill contrasts quite sharply with the more “structural” approach of the Lungren proposal.
What Data and How Is it Used: Another point of contrast between the two bills lies in their respective definitions of what types of information can be shared. The House Homeland Security bill identifies a specific limited category of cyber threat information that can be shared — it authorizes the new NISO to share only information “necessary to describe a method of defeating technical controls on a system or network that corresponds to a cyber theat.” The Rogers bill has a broader definition, authorizing the sharing of any information pertaining to the protection of a cyber system against “efforts to degrade, disrupt, or destroy” the system or to “theft or misappropriation” of information from the system. Needless to say, the broader definition concerns privacy advocates, while the narrower definition gives pause to more security-minded analysts.
Likewise, by narrowing the definition of what can be shared, the Lungren bill also restricts the governmental purposes for which cyber threat information can be shared – in effect, stove-piping cyber threat information and disaggregating it from other types of intelligence collection and analysis. H.R. 3523, on the other hand, is silent on the topic, presumptively permitting cyber threat information to be aggregated with other intelligence data as a means of further “connecting the dots.”
Finally, the bills do share one point of agreement that some find troubling. Both make clear that the information shared by the private sector with the federal government cannot be used for Federal regulatory purposes (which makes sense – who is going to share information about a vulnerability if that becomes the basis for an enforcement action) and that the information is proprietary and exempt from disclosure rules like FOIA (again, a necessary incentive). Some good government advocates might prefer a more mandatory model and are concerned that private sector actors will conceal their misdeeds or avoid responsibility for them through these types of disclosures.
One final note: Both House bills are far less directive and mandatory than their Senate counterparts. The Rodgers bill has no regulatory structure at all, while PRECISE has a comparatively light, risk-assessment and standards based approach that would be significantly less intrusive on the private sector than either the earlier Senate drafts or the Obama Administration proposal. Depending on your viewpoint that is either an advantage or a disadvantage, but the distinction is quite clear.