The latest draft cybersecurity bill contains information sharing provisions that were heavily negotiated between the Obama administration and privacy groups. This effort at compromise has yielded the usual ambiguous praise from privacy groups. The Electronic Frontier Foundation pronounced itself "pleased" but then complained that the measure still "contains broad language around the ability for companies to use security as a reason to partake in 'nearly unlimited' data monitoring of users."
In fact, the privacy groups have added so much baggage to the information sharing provisions that the new law is nearly useless to private sector companies who want to improve cybersecurity. And it may actually impose an entire new regulatory and liability yoke on companies that treat cybersecurity seriously.
It’s worth remembering why the information sharing provisions are necessary. The reason is that, with the support of privacy groups in years past, Congress prohibited many companies from sharing customer information with the government in the absence of a subpoena. Congress also authorized states to adopt “two-party consent” restrictions on interception of communications. In an age of widespread network intrusions, both of these laws have the effect of protecting hackers and spies.
How so? Controlling spearphishing requires that incoming packets be monitored for malware; and that in turn means intercepting the communications. Since it’s unlikely the attacker who is sending malware will consent to such monitoring, this monitoring creates legal risks in two-party consent states. Similarly, unless private companies can tell the government in real time which of their customers are sending malware, the government cannot protect itself. All of the bills pending in Congress override these poorly conceived and overbroad privacy provisions.
Privacy groups don’t like to be reminded that privacy laws they supported are now protecting bad guys, so it’s no surprise that they aren’t comfortable with the new bills. I suspect they'd rather have no bill at all than admit that the old privacy laws contributed to the fix we're in.
If that was their goal, they've just about managed to achieve it. They've made information sharing so complex that it's nearly impossible to do. Indeed, there’s a real risk that the new provisions will end up creating new limitations on information sharing, new liabilities for security officers, and new legal protections for the people breaking into our networks.
To see how, let’s take a simple example. A company, US Petroleum, asks its ISP to monitor incoming messages for malware. A week later, the ISP tells US Petroleum that it has detected malware that it attributes to the Peoples Liberation Army. In fact, because it exchanges information with other companies and the government, it can name the unit and perhaps even the individuals who launched the attack; it further assesses based on those sources that the intrusion was aimed at helping Chinese state oil companies outbid US Petroleum on crucial offshore tracts.
US Petroleum decides not to take this lying down. It prepares a press release denouncing the PLA’s intrusions and asks its lawyers whether it can sue its bid-stealing Chinese competitor. Then its lawyers reread the information sharing provisions of the 2012 cybersecurity bill. Sections 701 and 702 both say that private companies who obtain threat indicators of this sort under the law must “make reasonable efforts to safeguard … information that can be used to identify specific persons from unauthorized access or acquisition.” And section 702 further says that a private entity may not disclose threat indicators to a private entity that is “reasonably likely to violate” the elaborate restrictions imposed on the use of threat indicators.
On its face, then, the new law prohibits US Petroleum from using the information it obtained from its ISP to name and shame the attacker. After all, publicly releasing the attacker's name is not a "reasonable effort to safeguard" the attacker’s identity, and public disclosure of the data by definition supplies the information to parties who will not abide by the law's restrictions on handling such information.
In short, the new provisions demanded by the privacy groups could just as easily be called the “Hacker Protection Act of 2012.”
The price of eliminating two unfortunate laws that protect hackers is a new and far more elaborate regulatory scheme for how private entities handle information about attacks on their system -- a scheme that also protects hackers.
To add to the irony, the new law creates special first amendment protections for critical infrastructure companies at the same time that it imposes sweeping, direct and burdensome restrictions on the first amendment rights of US Petroleum.
The one saving grace is that the new legislation only regulates information obtained “under” the legislation. Under section 707(a), information obtained lawfully in some other way is not supposed to be regulated. But this is a dubious protection for US Petroleum, which cannot be sure it didn't obtain the information that way. After all, it’s quite possible that some of the ISP’s monitoring occurred in a two-party consent state; if so, that information was likely obtained “under” section 702. Or the ISP may have picked up clues about the attacker's identity “under” section 701(b) by participating in an exchange of information with the government. Uncertainty about the source of such information means that the protection the new law gives to attackers may actually be wider than existing law.
That’s true not just because the definition of protected “threat indicator” is quite broad but also because the new law is so affirmative and sweeping in laying down rules for handling such information. While the legislation doesn’t in so many words give the PLA a cause of action against US Petroleum for its planned press release, anyone reading the law could reasonably fear that a court would say, “Congress clearly prohibited certain actions, and we cannot presume that it meant its rules to be ignored without penalty. Therefore, we will allow lawsuits to enforce the rules that Congress set.”
To counter this inclination, US Petroleum cannot point to a single law expressly allowing it to gather information on its network, or to authorize monitoring by its ISP (in fact, in a two party consent state, that authorization itself may create liability), or to speak openly about the attack. All the company can say in its defense is that no law prohibited it from speaking out before the new bill passed. A prudent lawyer might conclude that, in lawsuits as in life, nothing rarely beats something.
The new privacy provisions, in short, make the task of sharing information to defeat hackers harder than it is today. In place of two bad privacy laws – one of which only restricts the flow of data to the government – the new bill creates an entire regime of restrictions on private handling of private data, a regime whose scope is indeterminable but whose deterrent effect on information sharing will be great.
The privacy groups that demanded this as the price for correcting their old errors have outdone themselves.