The U.S. government and the American business community are understandably worried about cybersecurity. Last year was a big one for cyberattacks and data breaches. In response to this threat, the Republican-controlled Congress is debating five bills designed to make it easier for businesses to share information about cybersecurity threats with the government.
Because of lobbying by businesses and the U.S. intelligence community, the bills are structured to protect the corporations more than their customers. They include language shielding companies from consumer lawsuits that result from improperly shared data. Civil-liberties groups have also criticized the bills for not adequately protecting personal information embedded in cyberthreat data and for shrouding the data from public-records requests.
At press time, the House had passed two cybersecurity bills, the Senate had passed one bill, and a third House bill and a second Senate bill were awaiting review by the appropriate committees.
House and Senate negotiators will need to resolve differences between the two House bills, the PCNA and the NCPAA, and the Senate bill, CISA. After that, both houses of Congress will need to pass the final, combined bill.
Here are the five major cybersecurity bills working their way through Congress, along with brief explanations of their distinguishing features.
Sponsor: Sen. Richard Burr (R-N.C.), Chairman of the Senate Intelligence Committee
Status: Passed by the Senate 74-21 on Oct. 27; differences with House bills (see below) must be resolved in a conference committee, followed by votes on the conference version in the Senate and the House
CISA orders the office of the Director of National Intelligence (DNI) to establish a process for the federal government to share data on cyberattacks with state and local government agencies and private companies that could be affected. This includes both indicators of future threats and data on active cyberattacks.
The bill also lays out how entities other than the federal government can track and respond to cyberthreats without government involvement as well as how and with whom they can share information about these threats.
Responses to cyberthreats are called “defensive measures,” and civil liberties groups consider the vagueness of CISA’s defensive-measures provision one of the bill’s most troubling elements. It is not completely clear what kinds of defensive measures CISA would permit a company to legally employ against the source of a cyberattack.
CISA also allows state, tribal, and local governments to use cyberthreat data—without the permission of the entity that shared said data—to prevent serious harms like terrorist attacks, economic catastrophes, or imminent violent threats.
CISA creates exceptions to federal antitrust laws to let private companies exchange data on cyberthreats without being punished for collusion. Businesses still cannot coordinate to fix prices, divvy up sections of a shared market, or engage in any other monopolistic behaviors.
CISA places significant responsibility on the Department of Homeland Security (DHS) to develop a process that lets the federal government collect businesses’ cyberthreat data and distribute it throughout the government.
In addition, CISA offers companies “liability protections” that shield the companies from certain kinds of lawsuits relating to data sharing. These protections are another point of contention for civil-liberties watchdogs.
Sponsor: Sen. Tom Carper (D-Del.), Ranking Member of the Senate Homeland Security Committee
Status: Referred by Sen. Carper to the committee; unlikely to move forward given passage of CISA
Like CISA, CTSA allows private businesses to share information about cyberthreats with partners in the private sector and in the government. The central government clearinghouse for such threat data is the National Cybersecurity and Communications Integration Center (NCCIC).
Sen. Carper, CTSA’s sponsor, has said that his bill shares many features with CISA. But unlike CISA, this bill puts the DHS at the center of cyberthreat data sharing; Carper has urged the House to incorporate “a strong role” for the DHS in its cybersecurity bills.
Under CTSA, the DHS would select a private company to design standards for how other companies would share cyberthreat data.
CTSA, like CISA, offers companies liability protections, the idea being that they will be more likely to share data if they aren’t worried about consumers suing them for doing so inappropriately.
Unlike CISA, there is no language in CTSA authorizing private companies to use defensive measures to counter cyberthreats.
Also unlike CISA, CTSA includes a provision that limits how the government can use threat data to regulate a company. Under CTSA, the government cannot use threat data shared by a company as part of a regulatory action against that company. (If the government lawfully acquires the data from another source, it can use it in regulatory actions.)
CTSA carries a five-year sunset provision.
Sponsor: Rep. Devin Nunes (R-Calif.), Chairman of the House Intelligence Committee
Status: Passed by the House 307-116 on April 22
PCNA’s main purpose—directing the DNI to establish procedures for sharing cyberthreat data and allowing businesses to craft and execute their own response plans—mirrors that of CISA and CTSA.
When the House passed PCNA, the chamber approved all but one amendment with a voice vote, meaning the vote-counters knew there was sufficient support to bypass the typical recorded vote. The one amendment that required a recorded vote was Rep. Mick Mulvaney (R-S.C.)’s seven-year sunset provision. Chairman Nunes and the business community opposed this amendment, but it passed 313-110.
One notable amendment that passed on a voice vote was the manager’s amendment, which is essentially a hybrid amendment containing provisions from multiple legislators. The PCNA manager’s amendment removed a provision from the bill that would have rewritten the Freedom of Information Act (FOIA) to exempt certain cyberthreat data from disclosure. A similar provision in CISA recently attracted the ire of civil-liberties groups and privacy-minded senators. PCNA still includes language exempting cyberthreat data from disclosure under federal and state transparency laws, but if passed, it would no longer rewrite FOIA to achieve this end.
Jack Langer, Rep. Nunes’ communications director, told the Daily Dot in an email that Nunes’ bill mirrored key elements of the bill being worked on by the Homeland Security Committee, led by Chairman Michael McCaul (R-Texas).
“Chairmen Nunes and McCaul coordinated their efforts closely as they were writing their respective bills so that they would be compatible,” Langer said. “The main difference is that the [Homeland Security Committee] bill identifies the DHS as the host for the information-sharing portal, whereas our bill does not designate a specific portal, i.e. portals could be established at many different departments and agencies.”
In this respect, PCNA and NCPAA are comparable to CISA and CTSA, in that each chamber’s Homeland Security Committee produced a bill that gave the DHS a starring role in cybersecurity data sharing, while the Intelligence Committee in each chamber left this task to the collective agencies involved.
Sponsor: Rep. Michael McCaul (R-Texas), Chairman of the House Homeland Security Committee
Status: Passed by the House 335-63 on April 23
As mentioned above, NCPAA is very similar to PCNA except that it establishes the DHS as the central repository for cyberthreat data. NCPAA, like CTSA, directs the NCCIC to coordinate the sharing of such data and authorizes the center to establish information-sharing agreements with private companies.
Like CISA, NCPAA offers companies liability protections for data sharing and exempts such sharing between companies from antitrust scrutiny.
When the House passed NCPAA, it also passed a resolution ordering that the bill be attached to the end of PCNA, effectively merging the two pieces of legislation. This document from the Congressional Research Service compares the similarities and differences between the NCPAA and the PCNA.
Rep. Bennie Thompson (D-Miss.), the ranking member on the house Homeland Security Committee, told Politico on Thursday that he planned to work with Chairman McCaul to refine the combined bill’s liability-protection language, which he called “overly broad.”
Sponsor: Dutch Ruppersberger (D-Md.), Ranking Member of the House Intelligence Committee
Status: Referred by Rep. Ruppersberger to the Subcommittee on the Constitution and Civil Justice
CISPA began life as a House bill in November 2011, and its many House and Senate rebirths have repeatedly been scuttled as public outcry mounted over what privacy watchdogs considered worrisome provisions. CISA was created in response to concerns over a previous version of CISPA.
The latest version of CISPA, introduced at the beginning of the 114th Congress, calls for the president to designate two cyberdata coordinators: one within the DHS for receiving cyberthreat data and one within the Department of Justice (DOJ) for receiving cybercrime data.
The bill also calls for the Director of National Intelligence to facilitate data sharing between the U.S. intelligence community and businesses with certain security clearances.
As in other cybersecurity bills, there is liability protection for companies that share data with the government.
CISPA carries a five-year sunset provision.
The most likely outcome of the congressional cybersecurity debate is as follows:
- The two House bills that have passed will be formally combined and will retain the name PCNA.
- The Senate will pass CISA.
- House and Senate negotiators will go to conference to resolve differences between CISA and PCNA.
- President Obama will sign the conference bill that results from these negotiations.
The White House has expressed reservations about portions of the two House bills, but the administration has refrained from issuing a veto threat on either of them. Barring drastic changes in conference negotiations, the president would probably sign a conference bill that combined CISA and PCNA.
Correction: PCNA was amended to remove language that rewrote FOIA to exempt certain information from disclosure, but it still includes language that would create this exemption through other means.
Update 4:59pm CT, Oct. 27: Updated after Senate passage of CISA.
Photo via Allie_Caulfield/Flickr (CC BY SA 2.0) | Remix by Jason Reed