Despite recent criticisms to the contrary, the new privacy safeguards contained in the bill are carefully crafted and would not undermine the bill’s cybersecurity purpose or hinder the ability of private companies to share threat information. The bill would authorize an information sharing system under which the government would share cyber threat information with the private sector to enable companies to better protect their networks, and companies in turn would be authorized to disclose “cybersecurity threat indicators” to other private entities or to government “cybersecurity exchanges.” This information sharing would be completely voluntary. The carrot to induce private companies to participate in the program is new liability protection; if companies choose to share information under the legislation’s terms, they will be immune from liability for even negligent acts.
The legislation recognizes that creating new channels for government access to vast quantities of information from private networks requires incorporation of meaningful privacy safeguards. Thus, if companies do participate in the program, they must make “reasonable efforts” to remove information that “can be used to identify specific persons unrelated to the cybersecurity threat” from the data that they share. Similarly, the bill is designed to ensure that the information shared with the government is used for the intended cybersecurity purposes and includes strict limits to prevent use for unrelated government purposes.
These are critical safeguards to include. As part of my work with The Constitution Project’s bipartisan Liberty and Security Committee, I have joined with other former government officials and legal and other experts to develop a set of recommendations to ensure that any government cybersecurity programs are designed to protect both our computer networks and our constitutional rights. Many of our recommendations have been included in this new bill, such as strict use limits to avoid government repurposing of cyber threat information and to prevent efforts by law enforcement to conduct an end run around Fourth Amendment warrant requirements. Similarly, the bill would require meaningful safeguards for personally identifiable information and the content of private communications if they are shared under the new program. These limits on law enforcement use unrelated to cybersecurity also promote information sharing by giving companies confidence that their customers’ data will not be used inappropriately, and they are consistent with law enforcement and national security needs.
In addition, all federal cybersecurity exchanges established under the bill – the hubs that may receive information from the private sector under the program – will be civilian agencies. This requirement is important to ensure that this new program to safeguard private civilian networks will not be under military control. However, the bill would still enable the NSA and other military agencies to share their cyber expertise to protect computer networks. These agencies will be able to provide cyber threat information to the private sector, and after the civilian exchanges receive information from the private sector they can bring in experts from other agencies including the NSA. The legislation makes it clear that information sharing is to be automated to the greatest extent possible, so that a civilian agency serving as an exchange can apply automated privacy safeguards and ensure that the right information gets to the right government agency quickly.
Finally, the bill includes several savings clauses, so any current sharing arrangements between a private company and a government agency, including the NSA, are unaffected. If a particular company does not wish to comply with the rules for this new program, it can continue sharing under any earlier agreements – the company will simply not be able to benefit from the new liability protections offered by the bill. Any claim that the bill creates new limits or new liability for companies fails to recognize these savings clauses.
As a result, S. 3414 includes far more meaningful privacy safeguards than does the Cyber Intelligence Sharing and Protection Act (CISPA) passed by the House in April, the competing Senate bill (SECURE IT), or the earlier version of the Cybersecurity Act. The sponsors of S. 3414 and the Senators who worked with them to incorporate these new privacy safeguards should be applauded for their efforts. These provisions have been carefully crafted to avoid the extreme results suggested by some opponents of the legislation. Senators should resist any efforts to weaken or undermine these provisions.
Hutchinson was undersecretary of the Department of Homeland Security under President George W. Bush, and served as a congressman from Arkansas from 1997 to 2001. He is currently a lawyer in private practice in Little Rock, AR, and is a member of The Constitution Project’s Liberty and Security Committee.