Competing Bills Focus on Cybersecurity Information Sharing But Final Language and Ultimate Passage Remain Unknown
There are currently three major cybersecurity-related bills pending in the 114th Congress that address information sharing among private entities and between private entities and the federal government: the Protecting Cyber Networks Act (PCNA), H.R. 1560, the National Cybersecurity Protection Advancement Act of 2015 (NCPAA), H.R. 1731, and the Cyber Security Information Act of 2015 (CISA), S. 754. Some of the key issues that need to be resolved across these bills include: which agency will be designated as the lead as a clearinghouse for cyber threat information, what liability protections will be granted to those companies that do share information, and whether the structures established under any of these bills will also facilitate greater sharing of government threat information with the private sector. Although the bills all provide that existing reporting requirements will not be disturbed, such as those for Department of Defense “(DOD”) contractors, it remains unclear how these different reporting schemes will interact. Similarly, these bills do not address a provision in the House version of the 2016 National Defense Authorization Act that would provide liability protection to certain DOD contractors for properly reporting cyber incidents on their networks and information systems.
Restrictions on the sharing of cyber threat and vulnerability information are often raised as significant barriers to effective cybersecurity. But the sharing of such information is not without risk. In particular, private entities have raised concerns about how the government would use this information and whether such disclosures could result in antitrust, privacy or other legal complications. These bills look to increase incentives for cooperation between the government and the private sector in fending off cyber-attacks by encouraging private companies to voluntarily share information about the particular traits of cyber-attacks—what the bills refer to as “cyber threat indicators”—that they have previously encountered. In response to some of the concerns previously voiced by industry, these bills provide civil suit immunity for private entities that elect to share their information with each other and with the government. The bills also contain liability protection for contractors who monitor government computer systems. What follows is a brief comparison of all three major bills and why their different approaches may or may not benefit government contractors.
The House Bills
The PCNA is a product of the House Select Committee on Intelligence, and is intended to promote the voluntary sharing of intelligence related to “cybersecurity threats,” with sharing to be coordinated by the Director of National Intelligence (DNI). It is sponsored by the Committee’s chairman, Devin Nunes (R-CA), and has eight cosponsors, five of whom are Democrats. As previously reported by Covington’s Inside Privacy Blog, it was passed by the House with 307 votes in favor on April 22. The NCPAA is intended to amend the Homeland Security Act so that the Department of Homeland Security (DHS) coordinates the sharing of cyber threat indicators. It is sponsored by two Republicans, including House Homeland Security Chairman Michael McCaul (R-TX). It was passed by the House with 355 votes in favor on April 23. Both bills were combined into H.R. 1560 — making the PCNA Title I and the NCPAA Title II — and then received by the Senate on April 27.
The Senate Bill
The Senate’s bill, CISA, is a product of the Select Committee on Intelligence. The Committee’s report is available here. Senate Republicans tried and failed to add CISA to the Senate 2016 National Defense Authorization Bill on June 11, 2015, thus leaving passage of the bill out of the Senate and into conference with the House unclear.
Important Features of All Three Major Bills
A Voluntary Process
All three bills state that the provisions in the bills are not intended to alter current contractual agreements between entities (or contractors and federal entities) with regard to reporting cyber incidents. For example, section 109(g) of the PCNA states that “[n]othing in this title shall be construed to…amend, repeal, or supersede any current or future contractual agreement…between any non-Federal entity and a Federal entity.” Similar provisions are contained in the NCPAA and in CISA. It is unclear, however, whether the limitations on liability proposed for voluntary sharing of information could be extended to the reports currently required for cyber incidents involving unclassified controlled technical information (“UCTI”). Moreover, on April 27, 2015, House Armed Services Committee Chairman Mac Thornberry (R-TX) proposed an amendment to the 2016 NDAA that would provide liability protection to certain DOD contractors for properly reporting cyber incidents on their networks and information systems. If this provision is passed in the 2016 NDAA, it may need to be reconciled with the liability protections in the proposed bills for voluntary sharing of information.
Information sharing under these bills is intended as a voluntary process. All three bills contain an “anti-tasking restriction,” which prevents the federal government from requiring private entities to share information about cybersecurity threats. The bills also prohibit the government from conditioning the award of the contract on the provision of information about cyber threat indicators by the offeror. Furthermore, all three bills contain a clause protecting from any liability connected to choosing not to share information pursuant to the bills. Presumably, however, this does not prevent agencies, such as DOD and the Intelligence Community from imposing separate reporting requirements on a regulatory and contractual basis as currently exists for certain defense related information. Nor do these bills appear to alter existing voluntary information sharing relationships such as the Defense Industrial Base voluntary sharing initiative.
Liability Protections for the Sharing of Cyber Threat Indicators
Because the sharing of cyber indicators is voluntary, the bills attempt to encourage participation by providing companies with immunity to any civil suit connected to disclosure pursuant to the bills. Thus, under any of the three proposed regimes, private companies who share cyber threat indicators with each other or with the government are protected against suits brought by those whose private information may have been inadvertently shared. These protections have led to some criticism of the bills in the media, especially by privacy advocates. In particular, many companies have relationships with the FBI and it is unclear whether the liability protections would extend to information shared with law enforcement. Both the PCNA and CISA authorize the government to use any cyber threat indicators provided to it not only for “cybersecurity purposes,” but for a number of law enforcement purposes, including the prosecution of the theft of trade secrets.
There are also a few additional legal protections built into each bill that concern sharing information with the government in particular. Sharing cyber threat indicators does not entail a waiver of any privilege or protection, including trade secret protection. Further, under all three bills, the sharing of cyber threat indicators may not be subject to any rules or regulations concerning ex parte communications with federal officials.
Still, the protection provided by the bills is not absolute; those submitting information about cyber threat indicators must scrub the information to make sure they are not providing personally identifying information that is not related to the underlying threat. Those who engage in “willful misconduct,” or, in the case of CISA, “gross negligence” when sharing this information and scrubbing it of personal data may still be held liable.
A Lack of Reciprocity
Perhaps the biggest downside of all three bills for many government contractors is that there does not appear to be any immediate, direct benefit to sharing information with the government. While contractors who share information with the government cannot be held legally liable for the information they shared under normal circumstances, they also receive no special consideration in exchange for sharing this information. While a general climate in which information about cyber threat indicators is spread rapidly could be beneficial, it would appear from the current bills that there are many benefits associated with receiving information about cyber threat indicators, and few benefits associated with providing that information. This lack of incentive has been noted by commentators, including the Congressional Research Service.
Monitoring and Defensive Measures
Contractors who provide cybersecurity services may note that all three bills expressly permit private entities to monitor and defend the computer systems of federal agencies, contingent on written authorization. Under the bills, “monitoring” generally involves scanning the contents of a computer system, while “defensive measures” are actions or other measures used on information systems that prevent or mitigate known or suspected cybersecurity risks, threats, or security vulnerabilities. The PCNA and CISA specify that private entities will be protected from liability related to engaging in “monitoring” of government and private computer systems. The NCPAA also provides a liability exception, a textual difference being that it uses the term “Network Awareness” as opposed to “Monitor.” However, none of the three bills provides liability exception for a private company’s operation of a defensive measure on a government or third party information system if such defensive measure causes harm to that system. Interpreting which actions are monitoring and which actions rise to a “defensive measure” could be another challenge for contractors. In May, Assistant Attorney General Leslie Caldwell stated at the Georgetown Cybersecurity Law Institute conference that the Department of Justice is “considering whether to offer guidance on other types of effective and truly defensive countermeasures that are considered to be beneficial by cybersecurity expert.” The guidance would not address hacking back, which DOJ considers unlawful under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, but the guidance may illustrate permissible steps that companies could take to address cyber threats. Her full comments are linked here.
Different Reporting Structures
The principle difference between PCNA and CISA on one hand, and the NCPAA on the other, is the chosen method for how information about cyber-security indicators is to be shared with the government. The PCNA states that information is to be shared with “appropriate federal entities except DOD,” which includes most major departments; procedures governing the sharing will developed by the DNI. The PCNA also provides specific requirements for the Administration’s newly created Cyber Threat Intelligence Integration Center, which including requiring it to be located within the DNI and serve as the “the primary organization within the Federal Government for analyzing and integrating all intelligence possessed or acquired by the United States pertaining to cyber threats.” CISA specifies that information is to be shared with “the federal government through [a] real-time process” developed by DHS. The NCPAA also looks to DHS, and cites the agency’s “National Cybersecurity and Communications Integration Center” (NCCIC) as the clearinghouse for data. Any final law would need to reconcile this reporting scheme.
The Bottom Line
The bottom line for most contractors is that any current contractual obligations to report cyber incidents should not be altered by any of the three cybersecurity bills currently pending. Under the bills, the government cannot condition the award of a contract on the provision requiring the sharing of cybersecurity threat information. However, the bills do not eliminate existing mandatory reporting requirements, nor do they impose limits on any new such requirements. Those interested in voluntarily sharing cyber threat indicators with the government or other non-federal entities may benefit from protection from the liability limitations in the bills, but will not receive any special compensation for sharing. Contractors who monitor federal computer systems will need to understand the line between monitoring and defensive measures to take advantage of the liability limitations in any bill that is finally passed. Although these bills appear to be a step in the right direction as far as limitations of liability, some private firms, especially those in the commercial sector, are still looking for more guidance and threat information from the government.
 There are two other legislative proposals in addition to the PCNA, NCPAA, and CISA. The Cyber Intelligence Sharing and Protection Act, H.R. 234, has seen no action since being introduced in the House early in 2015. The Senate’s Cyber Threat Sharing Act of 2015, S. 456, is similar to a White House legislative proposal. This bill has similarly remained dormant since first being introduced. Neither of these proposed laws contain the depth of the three major bills.