The Who, What and Why of Information Sharing in Cybersecurity Legislation

In earlier posts I’ve written generally about the information sharing provisions of the Lieberman-Collins cybersecurity bill and the McCain bill.  Today I want to continue drilling down in comparing the two bills on a more detailed basis by examining the nuts and bolts of the respective information sharing proposals – asking, what information will be shared; with who; and to what purpose?  If the devil is in the details, there are some pretty devilish differences between the approaches the two bills take.  And, as an added bonus, since the House will soon take up the Rogers-Ruppersberger cyber information sharing bill, I want to add that into the mix as well. What Information Is Shared? We should, as with any good analysis, begin at the beginning.  We talk often about “information sharing” as a panacea without defining exactly what information can be shared.  Fortunately, the bills pending in Congress do a better job of that, albeit with significant variations amongst them. The McCain bill in section 101(4) gives an extensive list of techniques and methods by which cyber intrusions might occur and defines information about any of those techniques as “cyber threat information.”  The definition thus includes any information “indicative of” a vulnerability, a mitigation method, a malicious reconnaissance, a method for defeating existing technical control systems, and the like. These phrases (such as “technical control” and “operational control”) are then further defined.  In the end, the evident intent of the McCain language is to broadly define the means by which cyber intrusions happen and then classify all information relating to the use of those means as threat information that may be shared. Lieberman-Collins, in section 708(6), takes much the same approach to what it calls “cyber threat indicator[s].”  It defines the indicators in many of the same terms as the McCain bill (e.g. malicious reconnaissance, technical controls, and such).  In the basic outlines there is much common ground between the two bills … with one exception.  As a nod to privacy and civil liberties concerns, the Lieberman-Collins bill specifies that cyber threat indicators are information regarding which “reasonable efforts have been made to remove information that can be used to identify specific persons unrelated to the cybersecurity threat.”   Thus, all of the provisions authorizing sharing (and all of the liability protections) do not apply if an entity sharing information has not made “reasonable efforts” to scrub the data of personally identifiable information. By contrast, the Rogers-Ruppersberger bill on the House side has a broad definition of cyber threat information.  Essentially, the definition allows the sharing of any information about a vulnerability or threat to a cyber system to protect the system from: a) efforts to degrade, disrupt, or destroy it; or b) efforts to steal from it any private or government information, any intellectual property, or any personally identifiable information.  Thus it differs from the McCain bill in describing an “effects” test for cyber threats, as opposed to a “means” test. Which approach is best?  Well, you pays your money and you takes your choice, as they say.  The House bill has much to recommend it in that it describes cyber threat information in a more readily understandable way.  But the breadth of its definition opens it up to the criticism that essentially everything is potentially cyber threat information.  The more technical “means” method of describing cyber threats in the two Senate bills seems intended to provide a more focused definition. But even at that civil libertarians have complained, particularly about the McCain bill’s lack any protection for individual-based information “unrelated” to the cyber threat.  Here, one supposes that the concern is for the content of the data in which the cyber threat is found – and how significant a problem that is depends on your fundamental view of how likely the government is to be abusive in its collection and use of personal information. On the other side of the coin the inclusion of phrases like “reasonable efforts” are inevitably question-begging.  As a private sector actor, I might be very leery of sharing information if my protection for doing so were subject to a post-hoc judgment of the reasonableness of my efforts to protect personal information. Who is Information Shared With? The two Senate bills take significantly divergent approaches to identifying the entities with whom cybersecurity threat and vulnerability information can be shared.  Here is probably the greatest difference between the two bills. Under section 703 of the Lieberman-Collins approach, the Federal government (through DHS) must designate a lead Federal information sharing center and will have discretionary authority to designate other such centers both within the Federal government and, permissively, within the private sector.  Given the nature of politics and turf, there is every reason to expect that DHS would designate itself as the principal lead information sharing center.  Whether it would exercise its additional authority to designate other Federal agencies (say the NSA or the Department of Commerce?) as alternates and whether it would choose to designate one (or many?) private sector entities as authorized centers is a much more indeterminate question – much will depend on the perspective taken by the Secretary of DHS charged with making the decision.  [One could, for example, imagine a Republican sensibility for private sector action or a Democratic aversion to NSA animating such a decision at a meta-level.] By contrast, the McCain proposal takes a much less directive, agnostic approach to the question.  It starts from the premise that there is nothing to choose among the many existing Federal cyber information sharing centers that already operate across the range of Federal agencies – DHS, NSA, Commerce and the FBI are all mentioned.  It then simply authorizes any private sector entity to share with any of these Federal institutions, at their discretion.  Given Senator McCain’s widely reported belief that the NSA/DoD are more capable of providing assistance than DHS, this agnosticism may very well disguise a preference for the DoD, but on the face of the legislation no formal preference exists. The same cannot be said for the Rogers-Ruppersberger approach.  That bill, coming as it does from the House Permanent Select Committee on Intelligence, focuses, naturally, on the NSA and the Office of the Director of National Intelligence as the fulcrum for information sharing, particularly for classified information flowing from the government to the private sector.  For the converse flow (from the private sector to the government) it authorizes simply sharing with the “Federal government,” without further definition – permitting sharing with, quite literally, any agency.  No doubt a product of House jurisdictional restrictions, this broad permissiveness is, nevertheless, a source of potential concern to civil libertarians. On the merits, there is much to be said for the simplicity of the Rogers-Ruppersberger and McCain approaches.  Certainly, to the extent one believes that government intervention is often more inefficacious than it is effective, we might prefer a non-mandatory approach and one that seeks to minimize turf battles.  On the other hand, I confess to a degree of unease about the extent to which we are rushing headlong to allow a military component to have a significant control over what is essentially a civilian enterprise.  To be sure, DHS is currently less well-staffed than NSA/DoD for this effort but if that is the case, then perhaps the better answer is to strengthen DHS’s capabilities.  It is hard not to have some sympathy for the Lieberman-Collins approach here. What Purposes Can Shared Information Be Put To? Another area of divergence is what privacy advocates call a “purpose limitation.”  After all, irrespective of what information gets shared and with whom, if the purpose to which the shared information is put is circumscribed in some way then concerns about the information sharing program might be lessened.  Here, again, the three bills diverge in their approaches The Lieberman-Collins bill has the most significant set of restrictions the purposes to which shared information can be put.  For information shared between private sector entities, the sharing entity is free to impose use and purpose limitations on the receiving entity of whatever form it wants.  The receiving entity is also prohibited from using the data received to achieve an unfair competitive advantage.  Finally, the receiving entity may only use the cyber security information to protect its information systems from cyber threats, and not for any other purpose. The Lieberman-Collins Federal purpose rules generally follow the same model – the information shared with a Federal cyber exchange is limited in its purpose to preventing or mitigating a cyber threat to an information system.  Disclosure to law enforcement is permitted, however, if the information relates to a crime that has been, is being or is about to be committed. Under the McCain bill, any information shared by the private sector with the Federal government may be used for any cybersecurity purpose, any national security purpose, or for the prevention, investigation and prosecution of certain crimes – namely those already listed as crimes for which a wiretap order may be sought under 18 USC 2516.  Information shared with another private sector entity can (as with Lieberman-Collins) be limited in its purpose at the discretion of the sharing entity – and the receiving entity is obliged to abide those limitations and to not use the received information for its competitive advantage. Rogers-Ruppersberger, again, takes the minimalist approach.  Indeed, the only substantive limitation on the use of shared information is that no private sector entity may use information it receives to gain an “unfair competitive advantage” over the entity that provided the information, a provision similar to that in the Lieberman-Collins and McCain bills.  Add in a requirement to abide by any other restrictions imposed by the sharing entity (again as in the Senate bills) and that’s basically it for private sector limitations.  On the Federal side, the bill adds a limitation against using the shared information for a regulatory purpose.  Implicit in all of this is the authorization to use the shared cyber threat information for any non-prohibited lawful purpose. How to assess these limitations?  On the private-to-private side the result is fairly clear – the inclusion in Lieberman-Collins of a “protect an information system” purpose limitation is a significant departure from the structures suggested in McCain and Rogers-Ruppersberger.  Again, implicit in the absence of that limitation from those bills is the suggestion that any lawful purpose will suffice. On the Federal purpose side, the result is somewhat mixed.  Plainly, the “cyber security + national security” purpose limitation in McCain is broader than the “cyber security only” purpose limitation of Lieberman-Collins.  As readers might suspect, I have a preference for the McCain vision, since the re-erection  of “walls” for information sharing is contrary to the overall thrust of what we have learned from our review of the 9/11 attacks.  Surprisingly, however, the McCain law enforcement sharing provisions are actually narrower that the Lieberman-Collins rule – an instance where the McCain provisions are actually more civil liberties protective than other possibilities.