Most people involved in the cyber-terrorism debate agree that better information sharing between the private sector and government is needed—the current law structure doesn’t allow for good enough cooperation between government security agencies and private companies who come under massive cyber-attacks.
One bill in the House, by Representative Dan Lungren, does a decent job of addressing these concerns. It’s being debated this month in the normal procedure of open committee sessions. But another bill, by Representatives Mike Rogers and C.A. Dutch Ruppersberger, containing potentially grave civil liberties violations, was approved in one secret session—and is the bill being promoted by Republican House leadership and industry groups.
The Rogers-Ruppersberger bill creates a “cybersecurity exception” to every federal and state law that allows private companies to share Americans’ private communications with the National Security Agency, the Pentagon, the CIA and basically any other federal agency that requests it. The Lungren bill, by contrast, limits all of the sharing to the Department of Homeland Security, a civilian agency—and this is an important distinction. The DoD’s Cybercommand, along with the NSA, are notoriously secretive and not subject to many of the transparency rules in place at DHS.
This takes the nation’s cybersecurity efforts—and all of the very delicate monitoring that goes with it—and transfers it to the military and away from civilian control.
Even more troubling, the Rogers-Ruppersberger bill doesn’t limit the type of information that can be shared to specific cyber-terrorism threats—the language is vague to the point where virtually any communication could be shared. The information simply needs to be “pertaining to the protection of” a system or network—not related to a known attack or threat. And all networks are included—not just, say, computer networks that run the power grid or control flight patterns. Since hackers often use routine Internet, this would allow ISPs to share virtually all Internet traffic with the government.
Once the government has possession of that information, it can use it however it wants—it does not necessarily need to pertain to a cyber-terrorism investigation. (The Lungren bill limits the use to “related law enforcement).”
It’s not hard to see how, if passed, the Rogers-Ruppersberger bill would allow private companies to share basically any private electronic communications it wanted with any government agency, for virtually any purpose. The ACLU, the Electronic Frontier Foundation and the Center for Democracy and Technology are launching major campaigns to stop it.
Rogers has defended his bill on the grounds that information-sharing by private companies is completely voluntary under his proposed law, which is true. But he doesn’t mention that, in exchange for sharing the information, the companies receive help from the NSA in identifying a cyber-attack—and more importantly, under Rogers’ bill the companies receive blanket immunity from any lawsuits pertaining to the sharing.
In an op-ed for ABC News, Leslie Harris of the Center for Democracy and Technology explains this is why the industry is backing the bill:
For companies, the answer is easy: there is freedom to share information with whatever entity you please, blanket immunity for sharing, blanket immunity for a recipient of shared cybersecurity information who fails to take protective measures even when they are clearly needed, and no regulatory burdens are imposed.
The Rogers bill, along with the Lungren bill, will be debated the week of April 23. We’ll be sure to stay on top of it.