The House Intelligence Committee has released a new draft of the Cybersecurity Intelligence Sharing and Protection Act. I think it is fair to say that the bill is becoming increasingly more moderate as it goes through iterations. As originally introduced last year the bill contained: a) authorization for information sharing from private sector companies to other private sector companies; b) a complete liability protection from suit; c) modest privacy protections; d) no stove pipes on information sharing – cyber security information shared could be used for other purposes (e.g. if it were to eventuate a drug case or a national security (non-cyber) matter).
The bill changed as it passed committee and then the House floor. It was revised though: a) addition of a private cause of action with a “good faith” defense; b) restrictions on use of information shared to cyber, national security or child porn purposes only; c) addition of a sunset clause (creating uncertainty) and d) some additional privacy protection process (reports etc.).
Readers may recall that I was skeptical about the return to pre-9/11 stove-piping and the private cause of action (which, if I were the GC of a private company would lead me to say “don’t share at all”). On the other hand, since the bill does not have any mandates — only authorizations — if it did not encourage more information sharing and nobody took advantage of the authorization we would just be where we were now – with nothing happening.
This Congress the Committee started with the old House-passed bill and modified it further. According to draft amendments I’ve seen it will now have a) even more substantial privacy protective processes; and b) it will eliminate the authorization to share cyber security information for non-cyber national security purposes, leaving only sharing for cyber threats; to prevent death or serious bodily injury; or to protect children from child pornography. I have been told that some Intelligence Community lawyers that were consulted by the Committee thought the national security exception wasn’t necessary since any cyber purpose would probably be a national security purpose too. I confess I am skeptical of that also wonder how that justifies the continued inclusion of child pornography as the only special carve out. While we can all agree that is a truly important purpose, the logic would seem to cover both instances.