House cyber bill needs a reboot

This week, the House of Representatives is scheduled to take up the Cyber Intelligence Sharing and Protection Act (CISPA). Among other things, the legislation would authorize open-ended sharing of threat information between certain private companies and the federal government, and grant those companies unlimited legal immunity. I — along with more than 30 civil liberties and privacy groups ranging from the ACLU to the Competitive Enterprise Institute — believe the bill is badly flawed, and will harm the privacy and civil liberties of our citizens. While the Intelligence Committee amended CISPA last week, purporting to address privacy-related issues, the changes do not ameliorate the core concerns I have with the bill.

CISPA would create a “Wild West” of information-sharing, where any “certified” private-sector entity could share information with any federal government agency for various ill-defined purposes. By allowing for the direct sharing of information between the private sector and the National Security Agency, as well as other Defense Department agencies, the legislation hastily casts aside time-tested legal prohibitions against intelligence agencies and the military from operating on U.S. soil. The bill should be amended to prevent this direct sharing with non-civilian agencies.

CISPA would also create duplicative information-sharing processes with no central oversight or accountability. Successive administrations have expended enormous resources building proper information-sharing programs at the Department of Homeland Security and the FBI; these efforts should be enhanced, not clouded by permitting the proliferation of redundant programs across the federal government. 

The legislation also removes current legal protections applicable to companies that facilitate and process our private communications and share them with the government and one another. Companies sharing information would be exempt from all privacy statutes and would be relieved of liability for recklessly sharing, or deciding not to share information. Without narrowly defining the information that may be shared, limiting to whom it may be shared and why, and preserving mechanisms to provide accountability for wrongdoing, the privacy of our citizens and confidence in the trustworthiness of our electronic communications networks would be weakened. For example, the bill would not prevent a company sharing cyber threat information from including data not necessary to understanding the threat, such as private emails between family members or personal information such as medical records, in a data dump to the government.

The bill should narrowly define the categories of information that may be shared, such as malicious code or methods of defeating cybersecurity controls, and require that companies sharing the data take reasonable steps to remove information identifying individuals not involved in the threat. It is not enough to require government recipients of the data to remove the private information because it should never be sent to the government in the first place. The bill therefore should be amended to require that companies sharing cyber threat information make reasonable efforts to remove such personally identifiable information from the data they share with other companies and the government.

The bill’s liability protection provisions are also unnecessarily broad and eliminate the ability of aggrieved citizens and companies to protect and secure their privacy, as well as their property and physical well-being. Regardless of whether a company acted recklessly or negligently, the bill would prevent civil or criminal actions for decisions made for cybersecurity purposes “based on” cyber threat information. In effect, the legislation removes critical incentives for industry to act reasonably concerning cyber threat information. 

Consider a situation in which a telecommunications company through its operations becomes aware of a cyber threat directed toward a utility but fails to notify the critical infrastructure company of the threat, denying the utility the opportunity to engage in defensive measures and resulting in a catastrophic event producing substantial property damage and loss of life. Under the legislation, the telecommunications company characterizing its decision not to notify as one made for a cybersecurity purpose would be able to avoid legal liability. The bill’s exemption from liability should therefore be narrowed to exclude protection for such decisions.

The cyber threats our nation faces are serious, and we need to take action. The president’s recent executive order directing the enhanced sharing of cyber threat information by the government to industry is a significant step in the right direction. Legislation encouraging information-sharing by the private sector is also required, but it must be carefully crafted and limited to actual threats. The House version of CISPA is not the right solution to this real problem, and it must be fixed before it reaches the president’s desk. 

Conyers and Thompson are the ranking members of the House Judiciary Committee and the House Homeland Security Committee, respectively.