News
August 4, 2015

Differences In House and Senate Approaches to Cybersecurity Information Sharing Have Potential Privacy Implications

Arnold & Porter Advisory

In recent months, the House and Senate both introduced bills that aim to enhance cybersecurity by promoting information sharing among private entities, and between private entities and the Federal Government. On March 12, 2015, the Senate Select Committee on Intelligence (SSCI) approved the Cybersecurity Information Sharing Act of 2015 (Senate version). The Senate has not yet passed the bill.1 On the House side, the House Permanent Select Committee on Intelligence (HPSCI) approved the Protecting Cyber Networks Act (House version), which subsequently passed the House.2 Though the House and Senate versions are similar in many respects, their differences have left privacy advocates attempting to sort out which bill's information sharing provisions best protect privacy.

Comparison of House and Senate Versions: Sharing by Private Entities 

Recent discussion regarding cybersecurity has focused on ways to facilitate information sharing among private sector entities, and between private sector entities and the Government, in an effort to enhance security. Though their approaches differ in some respects, both the House and Senate versions create information sharing processes aimed at addressing current cybersecurity concerns.3 

The two bills encourage private entities to share information about "cyber threat indicators"4 or "defensive measures"5 among themselves and with the Federal Government by explicitly authorizing, and providing liability protection for, such sharing.6

The House and Senate versions both require that Federal entities receiving cyber threat indicators or defensive measures employ security controls to guard against unauthorized access to the shared information.7 In addition, both bills require non-Federal entities to take similar steps to secure the information they share or receive.8 Furthermore, both bills mandate that, prior to sharing, a Federal entity must review cybersecurity indicators and remove any information that the Federal entity knows, at the time of sharing, to be personal information that is not directly related to a cybersecurity threat.9 The bills also require that non-Federal entities scrub personal information prior to sharing, though the bills' requirements vary. The House version mandates that a non-Federal entity take "reasonable efforts" to remove information the entity "reasonably believes at the time of sharing" to be personal information not directly related to a cybersecurity threat.10 The Senate version only requires such removal where an entity knows, at the time of sharing, that information is personal information not directly related to any cybersecurity threat.11

The major differences between the two bills on information sharing and liability include:

  • The House version requires the President to create policies and procedures for Government receipt of cyber threat indicators and defensive measures, and to submit those policies and procedures to Congress.12 In contrast, the Senate version requires the Attorney General (rather than the President) to work together with the heads of appropriate agencies in order to create, and submit to Congress, such policies and procedures.13
  • The House version allows private entities to share information about cyber threat indicators or defensive measures with "appropriate federal entities,"14 with the exception of the Department of Defense and the National Security Agency (NSA).15 The Senate version authorizes private entities to share with the Federal Government without restriction, thus permitting a private entity to share directly with the NSA.16
  • The Senate version permits the Department of Homeland Security (DHS), which is instructed to develop a portal for the receipt of information from private entities,17 to share information received from private entities with other appropriate Federal entities, including the NSA.18 Though the House version does not permit private entities to share information directly with the NSA, it requires that information shared with other appropriate Federal entities be subsequently shared "in real-time with all of the appropriate Federal entities," which would include the Department of Defense and the NSA.19 Both versions authorize this disclosure of shared information to other Federal agencies for cybersecurity purposes,20 or to investigate or prosecute certain crimes unrelated to cybersecurity.21
  • In the Senate version, private entities are granted liability protection if information about cyber security threat indicators is: (1) shared through the portal that the bill charges DHS to create; (2) shared through non-electronic means; (3) shared with the sharing entity's own regulator; or (4) is a cyber threat indicator that has been shared on a prior occasion.22 The House version grants liability protection to private entities that conduct sharing solely pursuant to Section 103(c).23 Thus, private entities are not protected from liability if they share cyber threat indicators or defensive measures directly with the Department of Defense or the NSA.
  • The House version provides that the Government may be liable where it acts intentionally or willfully in violating the privacy and civil liberties of injured persons.24 The Senate version does not contain a similar provision.
  • The House version calls for the creation of the Cyber Threat Intelligence Integration Center (CTIIC) within the Office of the Director of National Intelligence (DNI). The Senate version does not. The House version mandates that the CTIIC: (1) "serve as the primary organization within the Federal Government for analyzing and integrating all intelligence possessed or acquired by the United States pertaining to cyber threats;" (2) "ensure that appropriate departments and agencies have full access to and receive all-source intelligence support needed to execute the cyber threat intelligence activities of such agencies and to perform independent, alternative analyses;" (3) "disseminate cyber threat analysis to the President, the appropriate departments and agencies of the Federal Government, and the appropriate committees of Congress;" (4) "coordinate cyber threat intelligence activities of the departments and agencies of the Federal Government;" and (5) "conduct strategic cyber threat intelligence planning for the Federal Government."25

The Obama Administration Supports the House Version, With Reservations

While the Obama Administration has not publicly taken a stance on the Senate version,26 it has issued a Statement of Administration Policy supporting the passage of the House version.27 The Administration commended the HPSCI's efforts to craft legislation on cybersecurity information sharing that incorporated better privacy protections, and "for requiring that intra-governmental sharing be governed by a set of policies and procedures developed by the Federal Government to protect privacy and civil liberties." Despite offering its overall support for the House version, however, the Administration noted that "[s]everal improvements are needed to ensure that [the bill] appropriately encourages and facilitates information sharing while safeguarding individuals' privacy interests and civil liberties."

Specifically, the Administration expressed concern that the bill's "sweeping liability protections" would "remove incentives for companies to protect their customers' personal information and may weaken cybersecurity writ large." In regards to these protections, the Administration opined that, because the House version only requires entities to take "reasonable measures" to scrub personal information before sharing with others, an entity that is "grossly negligent or even reckless" in doing so may be shielded from liability under such broad liability protection. In addition, the Administration took issue with the House version's approach of authorizing information sharing through numerous Federal departments. In contrast, the Administration expressed its support for a structure that would create "new liability-protected sharing relationships" through DHS's civilian entity, the National Cybersecurity and Communications Integration Center.

The Administration also expressed concern that the House version's authorization of defensive measures is not "adequately tailored." In the Administration's view, the bill's approach to such measures lacks appropriate safeguards, and thus raises "significant legal, policy, and diplomatic concerns and can have a direct deleterious impact on information systems and undermine cybersecurity." With its concerns noted, the Administration expressed its support for the passage of the House version so that the House and Senate can work together to improve the bill as the legislative process continues.

Privacy Advocates And Industry Differ on Both the House and Senate Bills

Privacy advocates oppose both bills. The Center for Democracy & Technology (CDT) has voiced its opposition to both the House and Senate versions of cybersecurity legislation. With respect to the House version, CDT takes issue with its authorization of defensive measures, failure to require adequate scrubbing of personal data, and failure to affirmatively address the cybersecurity related conduct of the NSA.

CDT asserts that the House version contains "egregious provisions" that liken it to a surveillance bill, not a cybersecurity bill.28 Specifically, CDT takes issue with the requirement that a cyber threat indicator shared with the Federal Government be immediately shared with the NSA, because it believes such a requirement will chill the very sharing the bill is meant to promote. Further, CDT is concerned that the House version will allow cyber threat indicators shared with the Federal Government by private entities to be used to investigate crimes having nothing to do with cybersecurity. CDT is also concerned that the bill does not include a mechanism to encourage private entities to follow the information sharing rules it establishes.

CDT has also continuously voiced its opposition to the Senate version. CDT takes this position because the bill permits private entities to share information directly with the NSA, and the Government may use shared information for law enforcement purposes unrelated to cybersecurity.29 CDT has noted that the Senate version's authorization of companies' sharing "information derived from users' internet communications directly with the NSA" is an important distinction between the two versions. Last month, CDT voiced its disapproval of the attempt to attach the Senate version to the National Defense Authorization Act.30 Though CDT believes that some improvements to the bill were made during the committee mark-up, it views further debate and amendment as necessary to address the remaining privacy and civil liberties issues with the Senate version.

Other privacy advocates have also voiced their opposition to the House version. The American Civil Liberties Union and the Electronic Frontier Foundation, along with several other open government and civil liberties groups, wrote a joint letter in opposition to the bill.31 The groups opined that, while the House version is "less pernicious" than the Senate version, it nonetheless falls short of providing adequate privacy protections. The groups expressed their concern that the House version, if passed, would likely increase Government secrecy and invite surveillance abuses.

Industry groups, on the other hand, support both bills. The Protecting America's Cyber Networks Coalition (Coalition), which includes the United States Chamber of Commerce ("Chamber"),32 supports the passage of the Senate version, and urged the Senate to consider and pass the bill in a letter to Senate members.33 The Coalition called on Congress to send a bill to the President that would provide businesses with a "safe harbor against frivolous lawsuits" as they voluntarily share and receive information about cyber threat indicators and defensive measures "in real time." Further, the Coalition opined that the Senate version reflects "sound compromises" between offering protections related to the timely exchange of information between businesses and the Government, and safeguarding privacy and civil liberties through the assignment of appropriate roles for Government agencies and departments.

In addition to supporting the Senate version, the Chamber supported the passage of the House version.34 When the House version passed, the Chamber issued a statement applauding the House for its work. Bruce Josten, the Chamber's Executive Vice President for Government Affairs, stated, "[t]he Chamber has long advocated for legislation that gives businesses strong protections from liability when voluntarily sharing and receiving cyber-threat indicators and taking actions to mitigate cyberattacks--and [this bill does] that."35 Former Secretary of DHS, and former Governor, Tom Ridge (R-PA), chair of the Chamber's National Security Task Force, asserted that the House version "knocks down barriers" to cybersecurity information sharing and monitoring that inhibit even those companies with the best of intentions. Ridge believes the improved sharing will help both businesses and their government partners "bolster their defenses against cyberattacks."

Conclusion

Given the Administration's support of the House version, and recent large-scale data breaches affecting consumers, industry, and the Government, it seems likely that the President, if presented with the opportunity, will sign a cybersecurity bill passed by both the House and the Senate. It remains unclear when any action on the Senate version might occur. Since the attempt to append the legislation to the National Defense Authorization Act, no further action has been taken.36 

  1. Last month, Senate Majority Leader Mitch McConnell (R-KY) proposed that the Senate version be considered as an amendment to the National Defense Authorization Act. SSCI Chairman Richard Burr (R-NC) supported the measure, but other SSCI members voiced their opposition. Press Release, Richard Burr, Senate Intel Chairman Burr on the Addition of Cybersecurity Bill to the Defense Authorization Bill, June 9, 2015, available here. The amendment to add the Senate version to the National Defense Authorization Act ultimately failed 56 to 40 (60 votes were needed to proceed).

  2. On April 22, 2015, the House passed its version in a 307 to 116 vote. The bill, which would amend portions of the National Security Act of 1947, is Title I of H.R. 1560. The Senate received H.R. 1560 in its current form on April 27. The House Homeland Security Committee also introduced a cybersecurity bill: the National Cybersecurity Protection Advancement Act of 2015 (NCPAA). NCPAA passed the House in a 355 to 63 vote on April 23. It became Title II of H.R. 1560 when combined with HPSCI's House version, and would amend portions of the Homeland Security Act of 2002.

  3. See Eric A. Fischer & Stephanie M. Logan, Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731 as Passed by the House, June 18, 2015, available here.

  4. The House version defines a "cyber threat indicator" as information or a physical object that is necessary to describe or identify malicious reconnaissance; a method of defeating a security control or exploiting a security vulnerability; a security vulnerability; a method of causing vulnerability; malicious cyber command and control; actual or potential harm caused by an incident; and any other attribute of a cybersecurity threat if its disclosure is not otherwise prohibited. See House version, Section 110(5)(A)-(G). The Senate version's language is almost identical except for its omission of "or a physical object." See Senate version, Section 2(6)(A)-(H).

  5. Both the House and Senate versions authorize private entities to operate defensive measures against potential hacks, and to share with the Government information about such measures. The House version defines the term to include an "action, device, procedure, technique, or other measure." See House version, Section 110(6). The Senate version defines "defensive measures" as an "action, device, procedure, signature, technique, or other measure." See Senate version, Section 2(7)(A) (emphasis added). Both versions explicitly exclude from the term "defensive measures" those measures that destroy, render unusable, or substantially harm an information system not belonging to the acting entity or an entity, whether public or private, that consented to such actions. See House version, Section 103(b)(1)-(2); Senate version, Section 2(7)(B). Notably, while both bills authorize defensive measures, neither offers any immunity for use of these measures.

  6. House version, Section 103(c)(1)(A)-(B); Senate version, Section 4(c)(1).

  7. House version, Section 102(a); Senate version, Section 3(b)(1)(D).

  8. House version, Section 103(d)(1); Senate version, Section 4(d)(1).

  9. House version, Section 102(a); Senate version, Section 3(b)(1)(E).

  10. House version, Section 103(c)(1).

  11. Senate version, Section 4(c)(D)(2)(A).

  12. House version, Section 104(a)(1).

  13. Senate version, Section 5(a)(1).

  14. The House and Senate versions both define "appropriate Federal entities" to include the Departments of Commerce, Defense, Energy, Homeland Security, Justice, Treasury, and the Office of the Director of National Intelligence. See House version, Section 110(2)(A)-(G); Senate version, Section(2)(3)(A)-(G).

  15. House version, Section 103(c)(1)(A).

  16. Senate version, Section 4(c)(1).

  17. Senate version, Section 5(c).

  18. Senate version, Section 5(c)(1)(C), (c)(4).

  19. House version, Section 104(a).

  20. The Senate version defines "cybersecurity purpose" as "the purpose of protecting an information system that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability." See Senate version, Section 2(4). The House version defines "cybersecurity purpose" as "the purpose of protecting (including through the use of a defensive measure) an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability or identifying the source of a cybersecurity threat." See House version, Section 110(3) (emphasis added).

  21. House version, Section 104(d)(5)(A).

  22. Senate version, Section 6(b)(2).

  23. House version, Section 106(b).

  24. House version, Section 105(a).

  25. House version, Section 104(c).

  26. Senate Republican Policy Committee, S. 754 - Cybersecurity Information Sharing Act of 2015, June 10, 2015, available here.

  27. Office of Management and Budget, "H.R. 1560 - Protecting Cyber Networks Act" Statement of Administration Policy, April 21, 2015, available here.

  28. Greg Nojeim, Cybersecurity Information Sharing Bills Fall Short on Privacy Protections, CDT, April 22, 2015, available here.

  29. Greg Nojeim, Troublesome Cyber Surveillance Bill Advances, CDT, March 18, 2015, available here.

  30. Press Release, Senate Rightly Rejects Advancement of Cybersecurity Bill, CDT, June 11, 2015, available here.

  31. American Civil Liberties Union, Open Letter to Members of Congress, April 21, 2015, available here.

  32. Coalition members also include American Bankers Association, Federation of American Hospitals, National Association of Manufacturers.

  33. Protecting America's Cyber Networks Coalition, Open Letter to Members of U.S. Senate, April 30, 2015, available here.

  34. Protecting America's Cyber Networks Coalition, Open Letter to Members of the U.S. House of Representatives, April 21, 2015, available here. See also Chamber of Commerce of the United States of America, Open Letter to the Members of the U.S. House of Representatives, April 22, 2015, available here.

  35. U.S. Chamber of Commerce, U.S. Chamber Applauds Passage of House Cybersecurity Bills, April 23, 2015, available here.

  36. Jennifer Steinhauer, Today in Politics: Senate Leaves Cybersecurity Off Its Post-Holiday Rush, New York Times, July 9, 2015, available here.

Email Disclaimer