Senators Lieberman and Collins have just released a revised version of cybersecurity legislation proposed earlier this summer. Weighing in at 211 pages, we have not yet had the time to read and consider the proposal. Of course, a major component of the law is streamlined information sharing between government and private industry on cyberthreat information. Unsurprisingly, this aspect of current cybersecurity proposals has reanimated the familiar security versus privacy trope, with legislators and companies supporting information sharing (and the corresponding immunity from liability for doing so) and the majority of Americans polled saying they prefer to keep their data to themselves, thank you very much.
As Congress reviews this or any other proposed bill, it should ask whether the law would improve widespread public disclosure of the kinds of information computer professionals actually use to improve network security. Congress should ask whether our current laws interfere with such information sharing in any way, and if so, tweak just those provisions. The bill includes the words "notwithstanding any other law", but if we don't know exactly why those laws are a problem, that language should be rejected. Finally, Congress should be aware of the ways in which the government currently uses cyberthreat information to favor some private partners or to bargain for the cooperation of corporate victims in unlawful extrajudicial surveillance. To avoid these abuses, the bill should encourage government to share cyberthreat information on an equal and non-discriminatory basis, except in special, narrow circumstances.
Promote Public Sharing of Information That Improves Network Security: Computer security information sharing is a Very Good Thing. Computer security professionals generally agree that the more information we have about threats to the network, the better network operators, from a mom and pop coffee shop to AT&T can protect their networks and the better users can assess risk and take steps to protect themselves. Secretive and selective distribution of important security information equals trouble. See e.g. Schneier, "Full Disclosure of Security Vulnerabilities a 'Damned Good Idea'" (Jan 2007). In the past, our only disagreements have been about the timing of public disclosures (i.e. before or after vendors have a chance to patch. (Microsoft Security Response Center: Announcing Coordinated Vulnerability Disclosure (July 22, 2010). At some point in time, because networks are only as strong as the weakest link, true cybersecurity information at some point must be made widely and publicly available.
Of course, there's no one definition of "cyberthreat information". Thus, a satisfactory statute will give a clear, simple, readily understandable definition of the term that specifically identifies and encourages sharing of that data which enables companies and the government to better secure their networks from future attacks. There are some obvious categories: attack signatures, vulnerabilities, exploits and patches. In the very definition of cyberthreat information, the statute can make clear, to industry and government investigators alike, that the purpose of the law is to promote an improvement in the health of our interdependent networks, and not enable government access to otherwise off-limits data or to provide companies with an argument for evading their responsibilities under existing privacy statutes.
Existing Privacy Protections Allow Such Sharing: "Not withstanding any other law" means, to the extent the legislation is inconsistent with the Electronic Communications Privacy Act (ECPA), the Foreign Intelligence Surveillance Act (FISA) or any other privacy statute, this law would override. This might make sense if current privacy statutes are, in fact, obstacles to cyberthreat information sharing.
But no law prohibits freely sharing cyberthreat information, i.e. the attack signatures, vulnerabilities, exploits and patches that security engineers use to improve their systems. In rare circumstances, that cyberthreat information could be protected, say, for example, if the exploit code was contained in highly protected user content, say, in the body of an email. This is because ECPA generally prohibits service providers from voluntarily disclosing to anyone, including government, the contents of user emails. Nevertheless, if a provider finds such exploit code in an email, ECPA allows the disclosure as incident to the protection of the provider's rights and property (18 USC 2511(2)(a)(i), 2702(b)(5)), because the contents were inadvertently obtained and appear to pertain to the commission of a crime (18 USC 2711(3)(b)(iv), 2702(b)(7)(A)) or if the provider believes in good faith that the disclosure is required under emergency conditions (18 USC 2702(b)(8).)
In short, our current privacy regime already allows cyberthreat information sharing. Our current rules and regulations encourge companies to narrow disclosures to just that non-sensitive information that is needed for threat mitigation. This is exactly what we want. If anyone has any information about how our current laws are a problem, let's hear it.
Don't Legalize an Illegal Quid Pro Quo: Prior bills set up a heirarchy of network and service providers, where some were ineligible for sharing while a "Cybersecurity One Percent" received preferrential treatment in the form of state of the art government vetted security information. Any cybersecurity bill has to discourage, rather than encourage, this information inequity.
We need this not only because secretive distribution of cyberthreat information puts the have-nots at risk, but also to ensure that government doesn't use its greater access to cyberthreat information via this statute as leverage against private companies. For example, a 2011 article in the New York Law Journal revealed that government agencies are increasingly bypassing legal prerequisites for "real time" network monitoring and simply approaching corporations directly with requests to install some kind of device on the network. It is a shame that I have to waste pixels to say that acquiescing to such requests is patently unlawful. Government needs a wiretap order under Title III or FISA for real time content surveillance, and a pen trap order for transactional data monitoring. Nevertheless, government approaches the target company when they are down. As the article says, the request is typically precipitated by an attack on the corporation's computer systems or where intruders have installed malware on the company's networks. Under these circumstances, the FBI apparently has successfully persuaded at least some companies to allow the unlawful installation of these devices by offering them information about the attacks those same corporations have suffered. If you scratch our back, we will scratch yours is not the law. There are proper, effective procedures to follow here. Either government can get legal authorization from a court, right away or after a short period of emergency monitoring. Or the company can do its own investigation and turn the information over to government under one of the ECPA/Wiretap exceptions. What is categorically wrong, is for the government to twist the arm of corporate victim of a cyber attack until they agree to host black box extrajudicial surveillance.
In sum, any cybersecurity bill should (1) narrowly define cyberthreat information to include vulns, exploits and patches and to exclude private data and (2) delete the "notwithstanding any other law" language that could evicerate inoffensive existing privacy protections. I'll be back with some specific comments on the Leiberman/Collins bill after I've had a chance to read it.