Internet privacy groups are rightfully concerned with some of the information sharing proposals in the House bills. It’s important to note, however, that not all information sharing is alike. Proposals differ in how the federal government receives information and what handling requirements are placed on those transactions. In essence, there is bad information sharing and good information sharing.
The House proposals are also structured so that private owners share information on cyber breaches with the federal government on a voluntary basis. Most companies would share information in a voluntary scheme because they want to protect their own systems and contribute to the security of the nation. A few, however, may choose not to share information on attacks or intrusions. In an interconnected world, one weak link in the chain is a sufficient entry point for intruders to cause real damage.
If a company can choose not to share information on an intrusion because the system is voluntary, our intelligence and security leaders will have an incomplete picture of the cyber risks to our country. In short, this makes it harder for them to do their jobs and that is unacceptable.
While the House considers legislation with these bad proposals, the Senate is considering another option that includes a better system of information sharing and critical infrastructure protection. A bipartisan group of Senators—Joe Lieberman, Susan Collins, Jay Rockefeller, and Dianne Feinstein—is leading an effort to pass legislation that requires the owners of core critical infrastructure to share information on attacks and intrusions with a single federal entity: the National Center for Cybersecurity and Communications.
This is a common-sense approach. In an interconnected world we should have a consistent plan for reporting attacks so that we can mitigate the damage of ongoing attacks and stop them from happening again.
The Senate’s bill also includes language to protect “Personally Identifiable Information”. Imagine a scenario where a hacker gains access to email accounts at a major financial institution (last month the world’s largest credit card payments processor—Global Payments—was hacked). The bipartisan Senate bill would require the institution to scrub the email chain of information on its client’s personal bank accounts before giving federal authorities the information they need to investigate the intrusion. The House bills do not provide this layer of individual protection.
Information sharing, with protections for both personal privacy and critical infrastructure, must be included in any cybersecurity legislation if we want to address our national security vulnerabilities. Without these provisions, we won’t be as effective in preventing and responding to cyber attacks, and mitigating the effects of those attacks. There is a way to do this that balances the security needs of the country with the privacy rights of its citizens.
A bipartisan group of Senators have correctly struck that balance and we should support their efforts.
Matthew Rhoades is director of legislative affairs at the Truman Project and Truman Institute.