A revised draft of the cybersecurity bill contains information sharing provisions that were heavily negotiated between the Obama administration and privacy groups. This effort at compromise has prompted the usual ambiguous praise from privacy groups. The Electronic Frontier Foundation, though “pleased” with the progress, complained that the measure still “contains broad language around the ability for companies to use security as a reason to partake in ‘nearly unlimited’ data monitoring of users.”
The reality is, privacy groups have added so much baggage to the information sharing provisions that the new law is nearly useless to private sector companies who want to improve cybersecurity. In fact, it may impose an entire new regulatory and liability yoke on companies that treat cybersecurity seriously.
Why are the information sharing provisions necessary? The reason is that, with the support of privacy groups in years past, Congress prohibited many companies from sharing customer information with the government in the absence of a subpoena. Congress also authorized states to adopt “two-party consent” restrictions on interception of communications. In an age of widespread network intrusions, both of these laws have the effect of protecting hackers and spies.
In simple terms, controlling spearphishing requires that incoming packets be monitored for malware; and that in turn means intercepting the communications. Since it’s unlikely the attacker who is sending malware will consent to such monitoring, this monitoring creates legal risks in two-party consent states. Similarly, unless private companies can tell the government in real time which of their customers are sending malware, the government cannot protect itself. All of the bills pending in Congress override these poorly conceived and overbroad privacy provisions.
Naturally, privacy groups prefer to ignore the fact that privacy laws they supported are now protecting bad guys, so it’s no surprise that they aren’t comfortable with the new bills. I suspect they’d rather have no bill at all than admit that the old privacy laws contributed to the fix we’re in.
If their goal was to make information sharing so complex that it’s nearly impossible to do, they’ve just about managed to achieve it. Indeed, there’s a real risk that the new provisions will end up creating new limitations on information sharing, new liabilities for security officers, and new legal protections for the people breaking into our networks.
For example, a company, US Petroleum, asks its Internet service provider (ISP) to monitor incoming messages for malware. A week later, the ISP tells US Petroleum that it has detected malware that it attributes to the People’s Liberation Army (PLA). In fact, because it exchanges information with other companies and the government, it can name the unit and perhaps even the individuals who launched the attack. Upon further assessment those sources reveal that the intrusion was aimed at helping Chinese state oil companies outbid US Petroleum on crucial offshore tracts.
In an effort to fight back, US Petroleum decides to prepare a press release denouncing the PLA’s intrusions and asks its lawyers whether it can sue its bid-stealing Chinese competitor. Then its lawyers reread the information sharing provisions of the 2012 cybersecurity bill. Sections 701 and 702 both say that private companies who obtain threat indicators of this sort under the law must “make reasonable efforts to safeguard … information that can be used to identify specific persons from unauthorized access or acquisition.” And section 702 further says that a private entity may not disclose threat indicators to a private entity that is “reasonably likely to violate” the elaborate restrictions imposed on the use of threat indicators.
On the surface, the new law prohibits US Petroleum from using the information it obtained from its ISP to name and shame the attacker. After all, publicly releasing the attacker’s name is not a “reasonable effort to safeguard” the attacker’s identity, and public disclosure of the data by definition supplies the information to parties who will not abide by the law’s restrictions on handling such information.
Essentially, the new provisions demanded by the privacy groups could just as easily be called the “Hacker Protection Act of 2012.”
By eliminating two unfortunate laws that protect hackers we now enforce a new and far more elaborate regulatory scheme for how private entities handle information about attacks on their system — a scheme that also protects hackers.
Furthermore, the new law creates special first amendment protections for critical infrastructure companies at the same time that it imposes sweeping, direct and burdensome restrictions on the first amendment rights of US Petroleum.
Fortunately, there is a silver lining. The new legislation only regulates information obtained “under” the legislation. Under section 707(a), information obtained lawfully in some other way is not supposed to be regulated. But this is a dubious protection for US Petroleum, which cannot be sure it didn’t obtain the information that way. After all, it’s quite possible that some of the ISP’s monitoring occurred in a two-party consent state; if so, that information was likely obtained “under” section 702. Or the ISP may have picked up clues about the attacker’s identity “under” section 701(b) by participating in an exchange of information with the government. Uncertainty about the source of such information means that the protection the new law gives to attackers may actually be wider than existing law.
Not only is the definition of protected “threat indicator” quite broad but the new law is also affirmative and sweeping in laying down rules for handling such information. While the legislation doesn’t in so many words give the PLA a cause of action against US Petroleum for its planned press release, anyone reading the law could reasonably fear that a court would say, “Congress clearly prohibited certain actions, and we cannot presume that it meant its rules to be ignored without penalty. Therefore, we will allow lawsuits to enforce the rules that Congress set.”
In response to this disposition, US Petroleum cannot point to a single law expressly allowing it to gather information on its network, or to authorize monitoring by its ISP (in fact, in a two party consent state, that authorization itself may create liability), or to speak openly about the attack. All the company can say in its defense is that no law prohibited it from speaking out before the new bill passed. A prudent lawyer might conclude that, in lawsuits as in life, nothing rarely beats something.
Overall, the new revisions to the cybersecurity bill make the task of sharing information to defeat hackers harder than it is today. In place of two bad privacy laws – one of which only restricts the flow of data to the government – the new bill creates an entire regime of restrictions on private handling of private data, a regime whose scope is indeterminable but whose deterrent effect on information sharing will be great.
This is the price privacy groups demanded in an effort to remedy their old errors, and they have simply outdone themselves.