In anticipation of tonight’s State of the Union, and as part of his weeklong cybersecurity and privacy focus, last Tuesday President Barack Obama visited the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC) to announce a reboot of his 2011 cybersecurity legislation. The NCCIC (pronounced N-KICK) was created during my time at DHS to be a centralized operations and information-sharing center among federal agencies and representatives of critical infrastructure.

Therefore, it was the perfect place to reignite focus on cybersecurity information-sharing!

The president’s information-sharing legislative proposal closely mirrors the first comprehensive cybersecurity legislation, focusing on information-sharing, privacy protections and liability protections (Full disclosure: when I was at DHS, I provided feedback on the 2011 version of this bill).

As we are all aware, companies are generally leery of sharing information with the government and each other for a variety of reasons, including but not limited to competitive concerns; potential embarrassment—or prosecution—if their situation became public; protection of personal information and trade secrets, and not knowing where the information will be stored or with whom it would be shared.

The proposed legislation attempts to ameliorate those concerns in two ways—first with the catch-all “notwithstanding any other provision of law” in Section 103(a), and second with liability protections in Section 106. The “notwithstanding” catchall is an attempt to address any legislation that might be in contradiction to this authorization to share cyber-threat indicators. The list of laws that may contradict this authorization is long; dozens of federal laws may directly or indirectly limit such sharing without the Section 103(a) caveat. Section 106 more expressly limits civil and criminal liability for those companies who share cyber threat indicators.

I cannot tell you what a burden these types of annual reports are for my former office and for similarly situated government offices.

It is unclear whether these comforts will be enough to garner support for the legislation, but given the recent major cyber incidents, these protections may be sufficient to encourage the much needed information-sharing.  

The legislative proposal also encourages enhanced information-sharing (real time and through Information Sharing and Access Centers and the NCCIC) from the government to the private sector. This was supposed to have been accomplished by the 2013 Executive Order under existing law; although information-sharing from the government to the private sector has increased in the past two years, it has not expanded as much as had been hoped. Of course, legislation provides an opportunity to amend existing law, which is what this proposal does.

The legislation also encourages the formation of the private-sector led Information Sharing and Analysis Centers and Organizations. There are several now among the critical infrastructure sectors, some of which are more effective than others. If passed, this legislation hopefully would increase the caliber and quality of information-sharing among and between private companies (consistent with privacy protections, of course!).

In the draft legislation, the privacy protections related to the reduction of personal information in the information shared with the government. In that regard, the mitigating steps that the government is supposed to take in Section 107 are very useful and wholly appropriate. In addition, the DHS Privacy and Civil Rights and Civil Liberties Officers, and the Privacy and Civil Liberties Oversight Board, among others, are to be consulted ahead of time to make sure the privacy protections are complete. The legislation also contemplates a periodic review of the privacy protections to confirm their effectiveness, which is of course a “Privacy by Design” best practice.

This default reaction to require offices like the DHS Privacy Office to file annual or quarterly or semi-annual reports for filing’s sake is, in my humble opinion, not effective, does not foster a true dialogue on the issues and does not engender useful oversight.

Generally Section 107 is thorough and may ease some concerns about information-sharing with the government. What is less fortunate and less helpful is the requirement that the DHS and DOJ Privacy and Civil Liberties Officers draft an annual report “assessing the privacy and civil liberties impact of the governmental activities conducted pursuant to this Act.”

I cannot tell you what a burden these types of annual reports are for my former office and for similarly situated government offices. When I was at DHS, I had to prepare an annual office report, an annual FOIA report, an annual Chief FOIA Officer Report, quarterly reports on privacy reviews and complaints and an annual data mining report. And despite the thousands of hours it took to produce these reports to Congress each year, I probably answered three questions from Congressional staffers, all during previously scheduled meetings.

I never discussed any of the reports with any member of Congress.

This default reaction to require offices like the DHS Privacy Office to file annual or quarterly or semi-annual reports for filing’s sake is, in my humble opinion, not effective, does not foster a true dialogue on the issues and does not engender useful oversight.

There has to be a better way to have a dialogue and oversight on these important issues.

It will be interesting to see how this Congress deals with this proposal given the increased focus on cybersecurity and information-sharing. Tune in to the President’s State of the Union to see if he elaborates on this or his other privacy initiatives announced in the last week. And as a reminder, President Obama said “privacy” in his 2013 State of The Union address. The last president before that was Richard Nixon in 1974.

Perhaps the president is starting a trend?