It is said that open communication is the basis of any good relationship, but in cybersecurity legislation it takes more than just a good foundation to succeed. President Obama recently announced new legislation aimed at enhancing cybersecurity by authorizing information sharing between private entities and government agencies as well as between private entities, without fear of reprisal. The proposal builds upon past efforts to pass cybersecurity legislation, being careful to heed privacy concerns expressed in opposition to similar bills. In particular, the bill modernizes a previous White House proposal, and contains many of the same elements as the highly contentious Cyber Intelligence Sharing and Protection Act (CISPA) and Cyber Information Sharing Act (CISA). The bill strives to distinguish itself from past efforts, however, by adding requirements and restrictions on how information is received, used, maintained and shared. In the wake of large cyberattacks such as those against Sony, JP Morgan, Home Depot and Anthem, the White House is hopeful it can overcome privacy concerns that stalled cybersecurity legislation in the past.

See the complementary Cybersecurity Bills Comparison Chart to see how this Obama proposal stacks up to CISA, CISPA and the president's 2011 proposal.

What’s Old

This is not the first time the White House has tried to tackle cybersecurity. In 2011, President Obama issued his first Cybersecurity Legislative Proposal, calling on Congress to take action to give the private sector and government the tools they need to combat cyber threats. When this legislation failed to pass, the administration issued Executive Order 13636 directing federal agencies to develop voluntary cybersecurity standards for information sharing with the private sector and to consider proposing new mandates where possible under existing law.

Outside of the White House, numerous bills have been introduced on the topic, including CISPA, CISA, the Cybersecurity Act of 2012 and the Cybersecurity and Internet Freedom Act. Although the specific provisions in each of these proposals vary, the overall goal of protecting America against cyber threats remains the same. As the National Institute of Standards and Technology’s (NIST) draft “Guide to Cyber Threat and Information Sharing” states, the benefits of information sharing include: 1) greater awareness among organizations of specific cyber threats, and defenses against them, 2) enhanced threat understanding, 3) the ability to find correlations from information that may appear unrelated, 4) improved decision making, including faster response time to threats and 5) rapid notification to victims of cyber attacks. Focusing on these benefits, the administration believes it can finally find bipartisan cooperation in Congress for passage of privacy respecting legislation to authorize cybersecurity sharing.

What’s New

What Information can be shared: Under Obama’s 2011 proposal, a company would be authorized to share “any communication, record, or other information … for the purpose of protecting an information system from cybersecurity threats or mitigating such threats.” A major critique of this language was that it allowed too much information to be disclosed. The latest proposal attempts to address this concern by narrowing what can be shared to “cyber-threat indicators.” Section 102(2) of the proposal defines cyber-threat indicators as information necessary to indicate, describe or identify the following:

  • Malicious reconnaissance, including communications that reasonably appear to be transmitted for the purpose of gathering technical information related to a cyber threat;
  • A method of defeating a technical or operational control;
  • A technical vulnerability;
  • A method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system inadvertently to enable the defeat of a technical control or an operational control;
  • Malicious cyber command and control;
  • Any combination of the above.

The new legislation retains a provision from the 2011 proposal requiring entities to make “reasonable efforts” to remove information that could be used to identify a specific person before sharing. However, the latest proposal only requires this information to be removed for individuals “reasonably believed to be unrelated to the cyber threat.” While this front-end protection is an important distinction between the proposed bill and CISPA, which does not require the removal of personally identifiable information before sharing, it may not be enough to appease privacy advocates. As the Center for Democracy & Technology (CDT) points out, the current language “could leave victims and individuals whose computers are co-opted to spread attacks—who are certainly ‘related’ to the threat—unprotected.” According to this approach, the law should distinguish between information about possible attackers, which should be shared, and that about potential victims, which merits protection.

With whom information can be shared: Section 103 of the new proposal states that private entities “may disclose lawfully obtained cyber-threat indicators to private information sharing and analysis organizations, and the National Cybersecurity and Communications Integration Center (NCCIC).” The NCCIC is a division of the Department of Homeland Security (DHS), established under the National Cybersecurity Protection Act of 2014. Information sharing and analysis organizations (ISAOs) are defined in Section 212 of the Homeland Security Act of 2002 as:

“any formal or informal entity or collaboration created or employed by public or private sector organizations, for purposes of— (A) gathering and analyzing critical infrastructure information in order to better understand security problems and interdependencies related to critical infrastructure and protected systems, so as to ensure the availability, integrity, and reliability thereof; (B) communicating or disclosing critical infrastructure information to help prevent, detect, mitigate, or recover from the effects of a interference, compromise, or a incapacitation problem related to critical infrastructure or protected systems; and (C) voluntarily disseminating critical infrastructure information to its members, State, local, and Federal Governments, or any other entities that may be of assistance in carrying out the purposes specified in subparagraphs (A) and (B).”

The administration uses the term “information sharing and analysis organization,” rather than “information sharing and analysis center” (ISAC) to describe these entities. Although the language appears similar, this distinction is important. Described in the Presidential Decision Directive-63 (PDD-63), published in 1998, ISACs are centers that “serve as a mechanism for gathering, analyzing, appropriately sanitizing and disseminating private sector information” between industry players and with government.

Some have criticized ISACs, which are generally organized around specific industries, for “outliving [their] usefulness.” In a recent Politico article, Larry Clinton, president of the Internet Security Alliance, a trade group, stated, “Large banks and large manufacturers have probably more in common with each other (than with smaller companies in their field).” The latest proposal’s establishment of ISAOs attempts to address this concern by expanding information sharing networks beyond industry boundaries. Following the announcement of the cybersecurity proposal, the President signed Executive Order 13691 further explaining the role of ISAOs, stating “ISAOs may be organized on the basis of sector, sub-sector, region or any other affinity, including in response to particular emerging threats or vulnerabilities. ISAO membership may be drawn from the public or private sector, or consist of a combination of public and private sector organization. ISAOs may be formed as for-profit or nonprofit entities.”

Privacy advocates continue to push back against the scope of federal agencies with which cybersecurity information can be shared. Civil liberties groups including CDT, the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) heavily criticized CISPA and CISA for allowing information to be shared directly with intelligence and military agencies, most notably the National Security Agency (NSA). In a letter to the Senate Select Committee on Intelligence regarding CISA, CDT criticizes the bill, stating it “requires real time dissemination to military and intelligence agencies, including the NSA.”

In a blog post discussing the entities entitled to collect cybersecurity information under CISPA, the ACLU states “… companies even get to decide whether your information can be delivered to civilian agencies like the Departments of Homeland Security, Treasury, or Energy, or whether it can go to military ones like the National Security Agency.”

The White House, too, criticized CISPA on this point. In a statement opposing CISPA, the administration stated the proposed law "… effectively treats domestic cybersecurity as an intelligence activity and thus, significantly departs from longstanding efforts to treat the Internet and cyberspace as civilian spheres.” The White House went on to state that the “Administration believes that a civilian agency—the Department of Homeland Security—must have a central role in domestic cybersecurity, including for conducting and overseeing the exchange of cybersecurity information with the private sector and with sector specific Federal agencies.” However, designating DHS as the primary agency to receive information may not be enough to dispel the contention. Obama’s latest proposal still requires that cyber threat indicators received and disclosed by NCCIC are “shared with other Federal entities in as close to real time as practicable.” As the National Journal notes, “[s]ome privacy and civil-liberties groups have said they will not support information-sharing proposals until NSA surveillance changes are enacted.”

Private Information Sharing: Under the latest proposal, private entities may use, retain or disclose cyber-threat indicators “solely for the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from cyber threats or identifying or mitigating such threat, or for reporting a crime.” The bill reiterates that private entities must make “reasonable efforts” to minimize sharing information that could be used to identify individuals “reasonably believed to be unrelated to a cyber threat.” The bill also states that private entities will comply with “reasonable restrictions” placed on information before subsequent disclosure or retention.

For private ISAOs, Section 104 of the bill directs the Secretary of Homeland Security, in consultation with other federal entities, to select a private entity to identify, or develop if necessary, a common set of best practices for the creation and operation of these organizations. Executive Order 13691 calls for the development of best practices, stating “the standards will address the baseline capabilities that ISAOs under this order should possess and be able to demonstrate. These standards shall address, but not be limited to, contractual agreements, business processes, operating procedures, technical means, and privacy protections, such as minimization, for ISAO operation and ISAO membership participation.“ Executive Order 13691 goes on to discuss the process for selecting an ISAO Standards Organization (SO), and requires the selected SO to engage in a public comment process during the development of the standards. As discussed below, the latest bill gives partial liability protection to private ISAOs that publicly adopt SO best practices.

Government Information Sharing: The latest White House proposal requires the application of privacy guidelines before DHS shares information with other federal agencies. As mentioned above, CISPA was heavily criticized for its allowance of real-time sharing of information among federal agencies, notably the NSA. Under CISPA, “cyber-threat information shared with departments or agencies of the federal government … is also shared with appropriate departments and agencies of the federal government with a national security mission in real time.” The new legislation directs the attorney general, in consultation with other federal officials, to develop and periodically review policies and procedures for the federal government’s receipt, retention, use and disclosure of cyber-threat indicators. Under this instruction, policies and procedures shall “reasonably limit” the government’s acquisition, use and disclosure of cyber-threat indicators that are “reasonably likely” to identify a specific person. According to the provision, this includes establishing processes for the timely destruction and anonymization of information unrelated to a cyber threat.

A requirement to anonymize (or de-identify) information was not included in the 2011 proposal. As ever, what actually constitutes de-identification raises a flurry of controversy. The Health Insurance Portability and Accountability Act (HIPAA) defines data as de-identified if it “does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.” More specifically, the HIPAA Privacy Rule establishes two methods for a covered entity to de-identify information: (1) obtaining an opinion regarding de-identification from an expert statistician, or (2) removing 18 specific identifiers from the dataset.

As part of its latest privacy and cybersecurity initiative, the White House also released on February 28 a “discussion draft” of a Consumer Privacy Bill of Right Act. In that bill, the administration defined the term “de-identified data” to mean “data … that a covered entity (either directly or through an agent)— (i) alters such that there is a reasonable basis for expecting that the data could not be linked as a practical matter to a specific individual or device; (ii) publicly commits to refrain from attempting to identify with an individual or device and adopts relevant controls to prevent such identification; (iii) causes to be covered by a contractual or other legally enforceable prohibition on each entity to which the covered entity discloses the data from attempting to link the data to a specific individual or device and requires the same of all onward disclosures, and (iv) requires each entity to which the covered entity discloses the data to publicly commit to refrain from attempting to link to a specific individual or device.”

This definition closely tracks that of the FTC in its 2012 privacy report, stating that de-identification “means that the company must achieve a reasonable level of justified confidence that the data cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer, computer, or other device.” The FTC notes, however, that what constitutes a “reasonable level of justified confidence” can vary depending on the individual circumstances. The FTC report sets forth a three-part test for de-identification, stating “as long as (1) a given data set is not reasonably identifiable, (2) the company publicly commits not to re-identify it and (3) the company requires any downstream users of the data to keep it in de-identified form, that data will fall outside the scope of the framework.”

Adding to the debate around de-identification are privacy scholars such as Paul Ohm who argue that, in the right hands, de-identified data can easily be re-identified. In an influential 2010 law review article, Ohm states, “clever adversaries can often re-identify or de-anonymize the people hidden in an anonymized database.” These technological challenges complicate the interpretation of the first part of the test under either the White House (“a reasonable basis for expecting that the data could not be linked as a practical matter to a specific individual or device”) or FTC (“a given data set is not reasonably identifiable”) formula.

Government Sharing with Law Enforcement: As with past bills, the latest proposal addresses government sharing with law enforcement. Section 107(2) requires that the government establish guidelines to permit law enforcement to use cyber-threat indicators received by a governmental agency “only to investigate, prosecute, disrupt or otherwise respond to (A) a computer crime, (B) a threat of death or serious bodily harm, (C) a serious threat to a minor, including sexual exploitation and threats to physical safety or (D) an attempt or conspiracy to commit any offense described in (A)-(C).” This is a significant tightening compared to the 2011 proposal, which broadly allowed DHS, with approval of the attorney general, to “share information with law enforcement entities when the information is evidence of a crime that has been, is being or is about to be committed.”

While the latest bill limits the sharing of information to investigation of certain crimes, the scope of the new restrictions remains unclear. For example, the term “computer crime” is undefined. As critics point out, at the extreme, “computer crime” could cover any crime perpetrated in part through use of a computer, including—according to one interpretation—violation of a website’s terms of use. Furthermore, there is no requirement that the threat of bodily harm be imminent, potentially allowing law enforcement to repurpose information collected in the cybersecurity context to investigate suspicions and unsubstantiated threats. Obama’s latest proposal is not the only bill to receive this criticism. CISA has received similar disapproval, with groups such as CDT criticizing the bill for allowing law enforcement to use information shared for cybersecurity purposes as a “loophole for law enforcement to conduct backdoor searches on Americans.” Overall, ambiguities in interpretation of these provisions raise concerns about spillover of cybersecurity monitoring activity into the sphere of criminal procedure undermining established protections for civil liberties.

Liability Protection: In order to enable and incentivize cyber-threat sharing, the bill, like past bills, provides sharing companies with liability protection in the face of potential lawsuits by customers or partners. The president’s latest proposal states that “no civil or criminal cause of action shall lie or be maintained in any federal or state court against any entity for the voluntary disclosure or receipt of a lawfully obtained cyber-threat indicator … that the entity was not otherwise required to disclose” to or from (1) NCCIC or (2) a private ISAO that “maintains a publically-available self-certification” that it has adopted the best practices established in Section 104 (discussed above).

This limitation of liability clause is markedly narrower than those in past bills. In 2012, the White House criticized CISPA for its broad liability protections, stating the bill “would inappropriately shield companies from any suits where a company's actions are based on cyber-threat information identified, obtained or shared under this bill, regardless of whether that action otherwise violated federal criminal law or results in damage or loss of life. This broad liability protection not only removes a strong incentive to improving cybersecurity, it also potentially undermines our nation's economic, national security and public safety interests.”

The White House proposal extends no liability protection for company-to-company sharing. Instead, all sharing between private entities is to be done through ISAOs. Critics may argue that promoting a centralized-sharing approach means less privacy and security protections for the information shared. According to the NIST draft guide on information sharing, central hubs—such as ISAOs—could themselves become attractive targets for cyber-attacks. NIST explains that peer-to-peer architectures, in contrast, “generally demonstrate greater resiliency since information is available through multiple communication channels and there is no central hub that represents a potential single point of failure or high-value target of attack.” Nonetheless, a central hub provides more control over how information is shared and makes it easier to verify compliance with data sharing agreements and protocols. This standardization may account for the latest proposal’s encouragement of sharing through ISAOs.

The bill exempts cyber-threat indicators shared with NCCIC from disclosure under the Freedom of Information Act (FOIA) and comparable state laws. Importantly, the bill also provides that regulators may not use cyber-threat information as evidence in regulatory proceedings against the entity that disclosed it. Section 106(c)(1) states, “No federal entity may use a cyber-threat indicator received pursuant to this act as evidence in a regulatory enforcement action against an entity that disclosed such cyber-threat indicator to the federal government.”

In the latest proposal, the White House eliminated the “good faith defense” found in its 2011 proposal and in CISPA. Under the 2011 proposal, “good faith reliance by any person on a legislative authorization, a statutory authorization or a good faith determination that this subtitle permitted the conduct complained of, is a complete defense against any civil or criminal action brought under this subtitle or any other law.” Similarly, under CISPA, “No civil or criminal cause of action shall lie or be maintained in federal or state court against a protected entity, self-protected entity, cybersecurity provider or an officer, employee or agent of a protected entity, self-protected entity or cybersecurity provider acting in good faith.” According to groups such as EFF, a good faith defense is “an extremely powerful immunity, because it is quite hard to show that a company did not act in good faith.” By eliminating this broad liability protection, the White House ensures that entities are more accountable for improper disclosures.

What’s Borrowed

In spite of all the differences, some still argue the president’s latest proposal is merely a replay of failed past proposals. As EFF states, “President Obama's cybersecurity legislative proposal recycles old ideas that should remain where they've been since May 2011: on the shelf.” Other groups go as far as saying Obama’s latest proposal is merely “CISPA with a new name.” Analysis in this study shows, however, that even though the bill clearly borrows ideas and language from past proposals, it takes note of past concerns and makes an effort to adapt to address some of the criticisms. It remains unclear, however, whether the latest bill strikes the right balance needed to unlock a historically deadlocked Congress.

What’s Blue

Cybersecurity may be one of the most promising areas for common ground between Democrats and Republicans. Cybersecurity legislation has failed in years past in part because of criticism from Democrats and privacy advocates. CISPA, for example, passed the House, but withered in the Democrat-controlled Senate. The latest bill’s inclusion of previously lacking privacy protections may garner the bipartisan support needed to pass the legislation. Soon after the president announced his proposal, the chairman and ranking members of the Senate Homeland Security and Government Affairs Committee and the House Committee on Homeland Security issued a joint statement praising the idea of legislation encouraging information sharing. As Ranking Member of the House Homeland Security Committee, Bennie Thompson (D-MS), notes in the statement, “In this time of partisan rancor, the president’s proposal provides us with some important opportunities to build on the legislative success of the last Congress.”

Conclusion

While the president’s cybersecurity proposal takes significant steps towards incorporating new privacy protections, it leaves unanswered important questions and interpretative ambiguities. Notably, the bill limits what information can be shared; requires privacy protections to be put in place before information is shared with government agencies outside of DHS; restricts how law enforcement can use shared information, and narrows previously broad liability protections. At the same time, the latest proposal gives the government significant leeway for developing substantive privacy enhancing policies and procedures and leaves considerable ambiguities that policymakers will have to address. In particular, the bill requires the development of several sets of guidelines without pre-established criteria or a timeline for implementation. Until these uncertainties are resolved, support for the bill remains wavering.