Next week will be cyber week in the House of Representatives, and the Senate is set to act soon on cybersecurity legislation. In recent months the growing cyber threat has caused the federal government to take steps to enhance cyber protection. On Wednesday, the House Committee on Homeland Security unanimously passed the bipartisan National Cybersecurity Protection Advancement Act (NCPA) of 2015, sending it to the House floor for approval. Although the NCPA is a step in the right direction for cyber protection and the committee made some positive changes, the bill still has some significant problems.
The Cyber Bill
The cyber bill seeks to improve cybersecurity by promoting voluntary sharing of cybersecurity information within the private sector and with the federal government. This legislation would increase the speed of identifying a cyber threat or vulnerability and mitigating it in private and public networks.
The bill takes a firm stance on providing strong liability protection to encourage sharing among businesses and with the federal government. Liability protection is important for businesses so that they can share information without fear of being sued for what the information might indicate or cause.
Two Problems, One Improvement
However, the legislation is still lacking on two fronts: the scope of authorized government uses of the shared information and overly burdensome privacy provisions.
It limits federal entities to using shared cyber threat indicators only for cybersecurity purposes in a very narrow sense. On this point, the revised bill is essentially unchanged from its first draft. Since cyber information sharing deals primarily with technical details of viruses and faulty coding, the government should be allowed to use this voluntarily shared information for other purposes, such as combatting identity theft, preventing serious violent crimes, and protecting national security.
The NCPA also falls short in streamlining privacy provisions that overly impede information sharing. The revised legislation removed one provision that genuinely facilitated the lucid flow of information. The provision stated that privacy protection should “not delay or impede the flow of cyber threat indicators,” an important provision given the need to share information rapidly in order to keep up with constantly changing cyber threats.
On the other hand, the bill took a step forward by reducing the number of required reports on privacy and protection of civil liberties. While the Chief Privacy Officer, the Inspector General, and the Chief Civil Rights and Chief Civil Liberties Officers must each still report on the privacy provisions, the revised NCPA at least reduces the frequency of these reports so as to not bury the Department of Homeland Security with reporting mandates.
A Step in the Right Direction
The NCPA takes a step in the right direction by maintaining a strong stance on liability protection, but it does not go far enough in broadening the scope of information-sharing uses for the federal government or in streamlining privacy measures.
In addition, while this bill is supposed to coordinate with the Protecting Cyber Networks Act, it’s unclear how that will happen since the bills currently would set different liability standards, use potentially different sharing systems and hubs, and authorized different uses of shared information. The House should ensure that the final versions of these bills actually achieve clear and effective information sharing.