The House Intelligence Committee has released a new draft of the Cybersecurity Intelligence Sharing and Protection Act.  I think it is fair to say that the bill is becoming increasingly more moderate as it goes through iterations.  As originally introduced last year the bill contained:  a) authorization for information sharing from private sector companies to other private sector companies; b) a complete liability protection from suit; c) modest privacy protections; d) no stove pipes on information sharing – cyber security information shared could be used for other purposes (e.g. if it were to eventuate a drug case or a national security (non-cyber) matter).

The bill changed as it passed committee and then the House floor.  It was revised though: a) addition of a private cause of action with a “good faith” defense; b) restrictions on use of information shared to cyber, national security or child porn purposes only; c) addition of a sunset clause (creating uncertainty) and d) some additional privacy protection process (reports etc.).

Readers may recall that I was skeptical about the return to pre-9/11 stove-piping and the private cause of action (which, if I were the GC of a private company would lead me to say “don’t share at all”).   On the other hand, since the bill does not have any mandates — only authorizations — if it did not encourage more information sharing and nobody took advantage of the authorization we would just be where we were now – with nothing happening.

This Congress the Committee started with the old House-passed bill and modified it further.  According to draft amendments I’ve seen it will now have a) even more substantial privacy protective processes; and b)  it will eliminate the authorization to share cyber security information for non-cyber national security  purposes, leaving only sharing for cyber threats; to prevent death or serious bodily injury; or to protect children from child pornography.  I have been told that some Intelligence Community lawyers that were consulted by the Committee thought the national security exception wasn’t necessary since any cyber purpose would probably be a national security purpose too.  I confess I am skeptical of that also wonder how that justifies the continued inclusion of child pornography as the only special carve out.  While we can all agree that is a truly important purpose, the logic would seem to cover both instances.

Share This

Share this post with your friends!