Congressman Jim Langevin (D-RI), co-founder of the Congressional Cybersecurity Caucus, helped the House Permanent Select Committee on Intelligence pass legislation today to remove legal barriers that have prevented the government and private companies from protecting their networks against foreign hackers in China and around the world.
The Cyber Intelligence Sharing and Protection Act (H.R. 624) provides legal authority for sharing of cyber threat information within the private sector, as well as between the private sector and the government, to enable the best possible awareness of existing threats. Private sector involvement is strictly voluntary. Experts have emphasized that this initiative must be a priority for improving the country's cybersecurity, and the CSIS Commission on Cybersecurity for the 44th Presidency that Langevin co-chaired recommended "a new operational organization where public- and private-sector entities can collaborate and share information on critical cybersecurity in a trusted environment."
Langevin has been a leading advocate for the inclusion of substantial protections in the legislation to allay concerns that threat sharing could expose private information that the public has entrusted to companies taking part in this effort. To address particular concerns raised by civil liberties advocates that companies could use outside systems or networks to identify or obtain cyber threat information -- a practice labeled varyingly as "hacking back," "active defense," "strike-back," or "countermeasures" -- Langevin successfully offered an amendment that explicitly prohibits that practice.
Further privacy provisions in the bill are listed below.
"Our most critical infrastructure, including the power grid and water systems, are exposed to great damage through their networks; sensitive government and military information is being put at risk; and billions of dollars of research and development work is being stolen from U.S. companies by international competitors, damaging our economic competitiveness," said Langevin.
"We cannot address these challenges without effective information sharing, and after much collaboration with civil liberties advocates, we have included strong precautions that guard against government access to and use of people's personal information. I would not support a bill that did not take our citizens' privacy seriously, and I will continue to work with the committee, the White House and stakeholders to strengthen the measure when it comes to the House floor.
"However, I will reiterate that CISPA is not a final solution to cybersecurity. While it promises to greatly improve situational awareness, information sharing alone will not allow us to prevent every attack. Our most vulnerable and valuable infrastructure must meet minimum cybersecurity standards in order to minimize the risk of a major cyber attack that could leave millions without electricity or safe drinking water for an extended period of time. Additionally, we must continue making every effort possible to educate and train a sufficient number of the most highly skilled cyber operators."
Strong Protections for Privacy and Civil Liberties:
CISPA has very narrow definitions that permit only the voluntary sharing by the private sector of a very limited category of information--cyber threat information--and permits only the sharing of such information for cybersecurity purposes, a similarly limited term.
-The bill protects privacy by prohibiting the government from forcing private sector entities to provide information to the government, by encouraging the private sector to "anonymize" or "minimize" the information it voluntarily shares with the government, and by explicitly authorizing and encouraging the government to create procedures to protect privacy.
-The bill also puts in place strict restrictions on the use, retention, and searching of any data voluntarily shared by the private sector with the government.
-The bill enforces these privacy and civil liberties protections by permitting individuals to sue the federal government for damages, costs, and attorney's fees in federal court.
-The bill also provides for strong public and Congressional oversight by requiring a detailed annual review by the Intelligence Community Inspector General (IG) of the government's use of any information shared by the private sector, and requires the IG to provide recommendations to Congress--in an unclassified report--to better protect privacy and civil liberties.
-The bill will sunset in five years, permitting Congress to carefully review the use of the authorities provided by the bill and determine whether they should be extended or modified.