After years of debate, Congress last December passed three bills focused on combating cybercrime. President Obama quickly signed each bill into law.
They include:
- National Cybersecurity Protection Act of 2014. The most notable piece of legislation for the private sector, this Act establishes a framework for private entities and government authorities to share intelligence about cyber threats and incident response plans. However, much to the dismay of many private entities, this stripped-down version of an earlier House bill lacks the liability protections that many companies had desired.
- Federal Information Security Modernization Act. This Act creates a structure for maintaining safeguards to protect federal government data. It encourages government agencies to use automated security tools to identify and correct security deficiencies, building upon the risk management framework originally established by the Federal Information Security Management Act of 2002. It also requires that agencies report major cyber incidents to Congress within seven days of discovery.
- Department of Homeland Security (DHS) Cybersecurity Workforce Recruitment and Retention Act; Homeland Security Cybersecurity Workforce Assessment Act. Attached to the Border Patrol Agency Pay Reform Act of 2014, these bills grant DHS expanded authority to hire and compensate cybersecurity experts. Additionally, the bills require the Homeland Security Secretary to identify areas of critical need in the DHS cyber security workforce and submit a progress report to Congress. GAO is also directed to monitor and report on the implementation of these DHS cybersecurity workforce measures.
Congress is currently debating several additional measures that would go further in protecting the private sector. On April 22, the House of Representatives passed the Protecting Cyber Networks Act and the following day the National Cybersecurity Protection Advancement Act. Both bills encourage private companies to share cybersecurity threat information with federal authorities or other private firms and provide protection from consumer lawsuits for such information-sharing. To gain legal protections, the shared information must first be stripped of personal information. Government agencies receiving these notifications may then share that information with other appropriate federal agencies, such as NSA and DoD. Proponents claim that this level of information sharing is critical to creating coordinated responses to threats and protecting against large-scale attacks. Critics contend these bills threaten data privacy and erode civil liberties, because authorities would likely be able to gain access to vast amounts of otherwise private data. These concerns are not without merit—the legislation would effectively allow companies, under some circumstances, to completely bypass a plethora of federal and state privacy laws. What’s more, disseminated information could ultimately be used by government authorities for purposes unrelated to cybersecurity, including the policing of felonies such as kidnapping and selling drugs.
For private entities, the key to complying with such information sharing laws will be to adequately “scrub” data of personal information before sharing it with the government. Each bill, if enacted, would provide opportunities to enhance the sharing of cyber threat information and enable companies to be better protected against cyberattacks. But taking advantage of the legal liability protections afforded by such laws will require careful compliance with their safe harbor provisions.
As we saw last year, there is bipartisan support in both chambers of Congress and Administration backing for legislation adequately addressing cybersecurity. Additionally, large numbers of businesses have been lobbying Congress on the issue, which is likely to ensure adequate liability protection for information-sharing companies. The Senate may take up these bills individually, or the issues could be considered in the NSA reform and PATRIOT Act debates. Either way, it will be important to strike an appropriate balance between encouraging information coordination and protection of privacy if this new legislation is to pass.