Congress Cybersecurity & Tech

New Draft of House CISPA Bill

Paul Rosenzweig
Thursday, April 11, 2013, 9:27 AM
The House Intelligence Committee has released a new draft of the Cybersecurity Intelligence Sharing and Protection Act.  I think it is fair to say that the bill is becoming increasingly more moderate as it goes through iterations.  As originally introduced last year the bill contained:  a) authorization for information sharing from private sector companies to other private sector companies; b) a complete liability protection from suit; c) modest privacy protections; d) no stove pipes on information

Published by The Lawfare Institute
in Cooperation With
Brookings

The House Intelligence Committee has released a new draft of the Cybersecurity Intelligence Sharing and Protection Act.  I think it is fair to say that the bill is becoming increasingly more moderate as it goes through iterations.  As originally introduced last year the bill contained:  a) authorization for information sharing from private sector companies to other private sector companies; b) a complete liability protection from suit; c) modest privacy protections; d) no stove pipes on information sharing - cyber security information shared could be used for other purposes (e.g. if it were to eventuate a drug case or a national security (non-cyber) matter). The bill changed as it passed committee and then the House floor.  It was revised though: a) addition of a private cause of action with a "good faith" defense; b) restrictions on use of information shared to cyber, national security or child porn purposes only; c) addition of a sunset clause (creating uncertainty) and d) some additional privacy protection process (reports etc.). Readers may recall that I was skeptical about the return to pre-9/11 stove-piping and the private cause of action (which, if I were the GC of a private company would lead me to say "don't share at all").   On the other hand, since the bill does not have any mandates -- only authorizations -- if it did not encourage more information sharing and nobody took advantage of the authorization we would just be where we were now - with nothing happening. This Congress the Committee started with the old House-passed bill and modified it further.  According to draft amendments I've seen it will now have a) even more substantial privacy protective processes; and b)  it will eliminate the authorization to share cyber security information for non-cyber national security  purposes, leaving only sharing for cyber threats; to prevent death or serious bodily injury; or to protect children from child pornography.  I have been told that some Intelligence Community lawyers that were consulted by the Committee thought the national security exception wasn't necessary since any cyber purpose would probably be a national security purpose too.  I confess I am skeptical of that also wonder how that justifies the continued inclusion of child pornography as the only special carve out.  While we can all agree that is a truly important purpose, the logic would seem to cover both instances.

Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare