One of the dangers of blogging about current events is that changing events tend to overtake what you have written. Earlier this week, I wrote about the two House bills currently moving through that chamber.
Amendments have been made to both bills. The Rogers-Ruppersberger amendment can be found here and the Lungren amendment in the nature of a substitute is available here. Both amendments make modest changes to the information sharing provisions of the respective bills.
Where, earlier, I had characterized the Rogers-Ruppersberger bill as “silent” on the question of limits on the sharing of cyber threat information for intelligence purposes. The amended bill makes two changes:
- First, the bill now says that “at least one significant purpose of ” of sharing cyber threat information must be either a cybersecurity purpose or a national security purpose. Readers will see in this language echoes of the “significant purpose” debate over information sharing that came with the Patriot Act.
- Second, the bill now prohibits the Federal government from affirmatively searching cyber threat information shared with the government for any purpose other than cybersecurity or national security. In other words, it can use the information for prosecution in other unrelated crimes if it stumbles across that information, but it cannot attempt to affirmatively mine the information for other crimes.
Meanwhile the Lungren bill, which I had characterized as having a narrow definition of cyber threat information that may be shared, moved toward broadening that definition. The new definition includes information that is necessary to identify or describe:
- Methods for defeating a cyber operational control;
- Methods for spoofing individuals with access to enable the defeat of an operational control;
- Information exfiltrated from a computer system that describes the cyber attack
- Anomalous patterns of communication indicative of or for the purpose of enabling a cyber attack (but excluding content or routing information); or
- Methods of gaining remote access to a cyber system,
- Provided in all cases that reasonable efforts are made to remove information identifying individuals not associated with the cyber attack.
Though quite a bit more detailed than the broader definition in the Rogers-Ruppersberger bill, it is clear that the two bills are converging, though the Lungren bill retains a strong strain of privacy protection. Only time will tell if the bills can be reconciled completely.
Meanwhile, the Senate side is abuzz with rumors that Lieberman-Collings-Rockefeller-Snowe will be released tomorrow with hearings next week. Again … only time will tell.