This is where all the attention is being paid. The problem being addressed is that of companies knowing things that they can't legally tell others
but which might be of significant value to law enforcement or others charged with protecting or maintaining critical infrastructure.
The proposal is to provide immunity from other laws for sharing information that falls into a certain set of categories, which then may only be used for a certain set of purposes. All of the problems come from what these categories and purposes should be and how to define them. Ignoring the House bill, because that's already passed, there are two perspectives in the Senate. The Republican view, headed by McCain, and the 'Democratic' proposal, headed by Lieberman.
In this there are three components. What information can be shared. Who it can be shared with. What it can be used for.
A) What information can be shared;
Both bills define the categories of information that can be shared by making extensive lists of ways that cyber intrusions could be conducted and then defining any information relating to these as shareable. This is actually a narrow approach to the problem; previous proposals have used far broader terms as ways to catch all possible threats rather than listing the acceptable, actionable ones. It's even arguable that this limits the value of the bill by potentially excluding new threats. On the flip side, both also make information 'indicative of a threat' shareable. That makes things pretty broad again. The Republican bill then has a further broadening factor of 'network activity' indicative of 'malicious activity', which is left undefined. That part is scary.
The Democratic side has an additional provision that any such information must have been (or rather reasonable efforts made) scrubbed of personal information unrelated to the thread prior to sharing, otherwise the immunity doesn't apply. This is missing from the Republican proposal.
As a side note, the House bill passed takes a very broad approach to defining the information to be shared. VERY broad. There were some amendments passed late in the process supposed to add privacy protections and others supposed to both narrow (removing IP theft) and broaden (not clear on this) the types of information to be shared. I haven't read these or solid analysis of them yet so won't comment.
B) Who it can be shared with;
This is almost the biggest fight in the Senate.
The Democratic bill gives the DHS authority to authorise a lead "Federal information sharing center". It may also authorise other sharing centres in both the public and private sector. It seems very likely this would lead to the DHS being the lead centre, although it's arguably undermanned and not optimal for this role. Broadly speaking this is the civilian option, keeping the DHS as the primary actor. The exact shape of this option is down to the DHS Secretary, and that's a presidential appointment (right now, Janet Napolitano). A future administration could easily shift control over to another body.
This sharing centre is then a hub for such information. They receive any information and determine what bodies (including other private companies) it should be shared with.
The Republican bill takes a somewhat different approach. It makes a list of many Federal bodies that are then permitted to act as sharing centres in the same manner as the Democratic bill. These include the NSA and other military bodies, as well as the FBI, Commerce and other groups that address a far wider spectrum of criminal activity than the DHS. There is then a requirement that the other federal bodies share their information in turn with the NSA. This is based on the view that the NSA is the best prepared body to confront such threats and that the military should have point on cybersecurity issues.
Both bills also allow for direct company-to-company sharing, bypassing the sharing centres. The Democratic bill only allows information to be shared with companies that directly manage critical infrastructure, or if simultaneously shared with a sharing centre. The Republican bill lacks these restrictions.
The Republican bill has an extra provision that
requires any federal contractor to disclose any cyber security information that may relate to that contract.
C) What can the information be used for;
When it comes to private companies using the information the Democratic bill is narrower than the Republican.
In the Democratic proposal information shared between private companies may only be used to protect from cyber threats (as defined). They explicitly may not use such information to gain a commercial or competitive advantage. In addition to these two blanket restrictions the organisation sharing the information may add whatever additional restrictions they see fit to how the information may be used.
The Republican bill lacks the first provision, so the only restrictions on use are that it may not be to a competitive advantage and whatever the sharing party decide to add. This makes for potentially broad uses of information shared using the already more lenient private-to-private sharing provisions.
For federal/law enforcement use it's not a fun story.
The Democratic bill allows information held by sharing centres to share any information "that appears to relate to a crime", committed or planned, with any law enforcement agency concerned with that crime. This is extremely broad.
The Republican bill has an apparent limiter on it's version of this provision; it only allows information to be shared if the crime being discussed is one where a wiretap order may be sought. Not that such an order needs to be sought, just that such an order could be under the relevant law. In reality this is an
extensive list and barely narrower than the Democratic rule. It then has an additional allowance for non-cyber 'national security' purposes.
I'd again note that this is where the House bill is fucking awful. The only restriction I'm aware of of the use of information on the Federal side is 'regulatory purpose'. That's it.
So what needs doing here? I'd say you could scrap this whole section, but enough people in government do believe there is a need and we are likely to see something passed eventually. Personally, if this were to be passed, I'd want the Democratic bill with three major changes.
- Add a liability clause and strong enforcement of restrictions. That is, where information is either shared or used outside the narrow authorised definitions there should be a cause for private action against the sharing entity. In many cases such sharing will be actionable under existing law, but I'd want to toughen that up. I'd also like to see the sharing centres policing such violations actively, informing individuals if their rights are violated in such a manner.
- Remove the law enforcement sharing provision (and certainly the Republican 'national security' one). This is literally warrantless wiretapping, as tacitly admitted in the McCain bill when they restrict the crimes to those that may be wiretapped. Frankly, any communications that are actionable by law enforcement should be intercepted and acted on by existing provisions and laws, not through this system designed for a narrow purpose. I'm mostly OK with this law so long as it's used to cover cybersecurity holes. Once it's used to chase and track individual action it becomes a fourth amendment violation.
- I'd want the sole sharing centre to be defined as within the DHS, with an additional budget to ensure it is brought up to scratch. I'm uncomfortable giving this sort of work to the military or an agency with it's primary role in other areas (such as Commerce or the FBI).
On top of these three major changes I'd also want some elements of the language tightened. Remove the 'indicative of a threat' provisions and require only the minimum of information required to describe a threat to be shared. Tighten up the restrictions on sharing private data to ensure no to minimal identifying information can be shared and that that shared can't be acted on. Etc.
I've been narrow here and only addressed the issues of the two Senate bills. There are additional questions that could be addressed, such as international cooperation. I'm not interested in that right now.