My correspondent (and friend) Gus Coldebella, wrote in the other day with a response to an earlier post of mine, in which he wondered what the meaning of section 706(d) of the Lieberman-Collins bill is. I hadn’t noticed the provision when I first read the bill, but Gus got me thinking, and now I have a guess as to why it’s in there.
First, just as a reminder, here’s the text of 706(d):
(d) DELAY OF NOTIFICATION AUTHORIZED FOR LAW ENFORCEMENT, NATIONAL SECURITY, OR HOMELAND SECURITY PURPOSES.—No civil or criminal cause of action shall lie or be maintained in any Federal or Statecourt against any entity, and any such action shall be dismissed promptly, for a failure to disclose a cybersecurity threat indicator if—
(1) the Attorney General or the Secretary determines that disclosure of a cybersecurity threat indicator would impede a civil or criminal investigation and submits a written request to delay notification for up to 30 days, except that the Attorney General or the Secretary may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary;
(2) the Secretary, the Attorney General, or the Director of National Intelligence determines that disclosure of a cybersecurity threat indicator would threaten national or homeland security and submits a written request to delay notification, except that the Secretary, the Attorney General, or the Director,may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary.
As Gus pointed out, the problem with this language is that it purports to limit a cause of action for failure to disclose cybersecurity threat information, but the entire CTI sharing program is supposed to be voluntary. So why limit the cause of action for not sharing where there is no duty in the first instance to share?
Now, here’s my guess – the provision is designed to allow NSA and DOJ to be able to stop temporarily companies from sharing cyber threat indicators when it appears that the cyber threat indicator came from China or a terrorist group and they want to do surreptitious forensic work. I suppose there is another possibility as well – that they might want to stop temporarily the sharing of CTI when the threat being disclosed is one that has been created by …. Well, NSA. In fact, if you believe that, then the reason the government so much wants to be at the center of CTI sharing is not just to protect the public but also to protect its own methods.
One other point – I’m pretty sure that 706(d) is not related to 704(g)(7), which creates a private right of action for government violations of the info sharing title. 706(d) pre-dates 704(g)(7); 706(d) was in the Cybersecurity Act S. 2105 version last February. The private right of action is new to the Cybersecurity Act S. 3414 version.