A draft bill which would set the parameters for threat information sharing, limit liability for participants, and implement measure to protect privacy and civil liberties is being circulated by Senate Intelligence Chairman Dianne Feinstein and ranking Republican committee member Saxby Chambliss.
The bill is designed to overcome the many legal barriers now in place that would prevent the private sector and government agencies from sharing cyber-related threat intelligence, and would put in place certain liability protections for companies, many of which have expressed concern that some of the information could be used against them in lawsuits should a breach event occur.
“The offer of liability protection to those in the private sector who share information with the government is a strong incentive, wrote Paul Rosenzweig, a Senior Advisor to The Chertoff Group. “But it continues to contain the litigation bait of a ‘willful misconduct’ exception — which converts the liability protection into a bit of an artful pleading requirement.”
The legislation mandates that any information shared with the government must also be provided to the Department of Homeland Security (DHS) before being disseminated to other agencies, such as the Nationals Security Agency (NSA), in order to secure any proposed liability protections.
“The designation of DHS as the info-sharing hub in the Federal Government is, one expects, hoped to blunt the prospect of sharing information with NSA,” Rosenzweig said. “Implicit in the bill, however, is the reality that the information shared with DHS will also be shared with ‘other federal entities.’ I don’t think that the privacy advocates will miss that implication.”
In an effort to quell privacy concerns, the bill specifically “requires the attorney general to write procedures to limit the government’s use of cyber information to appropriate cyber purposes, and to ensure privacy protections are in place,” and “requires reports by the Privacy and Civil Liberties Oversight Board and relevant federal inspectors general, and by agency heads, on the use of authorities and protections under this bill.”
Rosenzweig believes that the requirement to remove any personally identifiable information (PII) from the shared threat information is crucial to enticing buy-in from privacy advocates, but could also diminishes the effectiveness of information sharing and become a point of contention.
“The caveat that the information need not be minimized if it is ‘directly related to a cybersecurity threat, is both sensible and a formula for disagreement,” Rosenzweig said.
A recent study by the Ponemon Institute, titled Exchanging Cyber Threat Intelligence: There Has to Be a Better Way, found that nearly two-thirds of respondents said their organizations had suffered a cyber attack in the last two years that could have been prevented had they adequate access to threat data, and nearly three-quarters believe a better system for sharing threat intelligence is needed.