In an earlier post, I summarized the information sharing provisions of the Lieberman-Collins cybersecurity bill. In this post, I want to take the same summary approach to the newly introduced McCain bill. I am planning a third post (time permitting) to dive into the details of the two bills in this area and try to compare salient similarities and differences side-by-side, though I will note some of the obvious difference here. For now, however, let’s begin by examining the SECURE IT Act, S. 2151.
In many ways the information sharing provisions of S.2151 remind me a great deal of the Rogers-Ruppersberger bill pending on the House side. Title I of the McCain bill takes a light approach — authorizing sharing without setting up any Federal structure to manage it. In particular:
The bill begins, in Section 101, with a comprehensive definition of what constitutes cyber threat information. It also identifies a Federal “cybersecurity center” as any one of a half-dozen existing centers operated by DOD, DHS, DOJ or the Intelligence Community. [Here is a first point of significant difference – the Lieberman-Collins bill looks to the designation of one (or more) lead Federal exchanges while the McCain bill simply takes as a given our existing cyber center structures).
Section 102 begins, in subsection (a)(1) with a broad authorization for private entities to collect cyber threat information. Notwithstanding any other law, the private sector would be authorized to collect all relevant threat information – presumably even information that contained personally identifiable information that might otherwise be protected from collection. Section 102(a)(2) then amplifies that any threat information collected may be disclosure to a cyber security center or to any other entity in order to assist in preventing or investigating threats to information security.
The broad authorization has two caveats: 1) When the information in question is collected by a company providing security services (someone who operates the intrusion detection system for example) the bill would require the service provider to give the customer the opportunity to authorize or prohibit the disclosure; and 2) If the information security threat data is collected by an electronic service provider or cybersecurity service provider whose client is the Federal government, then disclosure to the government is mandatory.
Section 102(c) then speaks of the purposes for which cyber threat information shared with the Federal government may be used. Interestingly, the bill would limit onward Federal sharing to disclosures that advance a cybersecurity purpose, a national security purpose or to investigate or prosecute a crime identified in 18 USC 2516 (the Wiretap Act). This last provision is a narrower approach than other bills have taken and is likely to be welcomed by civil liberties proponents.
Section 102(c) also comes with the by now reasonably familiar list of promises – that the information shared will be treated as proprietary; that it won’t be subject to FOIA; and that it won’t be used by the Federal government to turn around and directly regulate the providing private entity. Similarly, section 102(e)(3) contains an antitrust exemption for private-to-private sharing and 102(f) contains a Federal preemption clause. Finally section 102(g) contains a broad liability limitation (notably without the private right of action savings clause contained in Lieberman-Collins). Though various proposals differ in the details, in this area there seems to be a growing consensus of opinion that limits on disclosure and liability are essential to incentivize threat information sharing.
The information sharing Title then concludes with section 103 (attempting to authorize and energize greater sharing of classified threat information by the Federal government) and section 104 (which calls for a report on the information sharing provisions one-year after enactment by the Privacy and Civil Liberties Oversight Board).
In conception, these provisions are by far the simplest and most direct of the competing proposals. No Federal structure is created and a broad authorization is granted. For those, like me, who think that threat and vulnerability information sharing is critical, the simplicity is welcome. Others, however, will see a vice in the simplicity – a paradigm of “share only when authorized” is now converted to “share unless prohibited.” While I tend to think that the change is essential it is surely one that will generate discussion as the bills move forward.