New cyber info-sharing measure gets nod from privacy proponents

This story was updated to include comments from a House Intelligence Committee staff member.

A House Homeland Security Committee draft bill that would create a nonprofit entity to share information on cyber threats has gained favor with some privacy advocates who are concerned that a competing bill already passed by the House Intelligence Committee will feed personal information to the government.

The proposed National Information Sharing Organization, or NISO, would be guided by a board of directors composed of two privacy advocates and 10 representatives from critical infrastructure sectors, including the banking, communications, defense contracting, energy and health care industries. Only four federal officials would sit on the board. Most expenses, at least 85 percent, would be paid by member companies. The board would set rules for privacy protections, handling of intellectual property and limitations on liability. And the bill would legitimize the Homeland Security Department as the lead government agency for coordinating with the private sector on reinforcing critical infrastructure networks rather than the Defense Department or intelligence agencies.

For these reasons, the Center for Democracy and Technology, a civil liberties group, says the information sharing stipulations in the draft are superior to those in H.R. 3523, which, CDT says, would allow Internet service providers to share private communications with the government.

The fear is that the Intelligence Committee's bill, modeled after a Pentagon test program that shared classified threat intelligence with military contractors, would disclose computer users' data to the National Security Agency, the Defense Department organization responsible for monitoring foreign communications and protecting U.S. information systems. NSA ran the so-called Defense industrial base cyber pilot.

A committee staffer said in a statement, "CDT's concerns are unfounded. The [bill] provides strong protections for privacy and civil liberties while still enabling effective cyber threat sharing and providing clear authority for the private sector to defend its own networks."

On Dec. 1, a day after introduction, the bipartisan legislation secured passage with a 17-1 vote by the committee. It now heads to the House floor.

Still, Gregory T. Nojeim, director of CDT's Project on Freedom, Security and Technology, told lawmakers at a Homeland Security subcommittee hearing Tuesday that their proposal needs some refinements to protect civilians. Specifically, the draft should be changed to restrict the type of cybersecurity information that can be shared to attack signatures -- the fingerprints of malware that can fortify network immunity if loaded into antivirus software, he said. Also, the law, not simply board policy, should mandate that information exchanged be stripped of data identifying computer users, Nojeim added.

Both pieces of legislation are aimed at encouraging businesses, which have been fearful of exposing security weaknesses, to share information on threats for the greater good. According to security firm Symantec, global cybercrime racks up $114 billion annually. Both measures would prod the private sector to participate in the data swap through incentives rather than regulation.

The proposed NISO is not unprecedented, according to the Congressional Research Service. Lawmakers in 1987 established the Semiconductor Manufacturing Technology consortium, or SEMATECH, to protect the nation's economic security. The move was a response to the United States' growing dependence on Japan for semiconductors, testified CRS analyst Kevin R. Kosar. SEMATECH, which included officials from more than a dozen major U.S. semiconductor manufacturers, researched and developed techniques for manufacturing domestic goods.

Like the proposed NISO, it was self-chartering, affiliated with a federal agency -- Defense in that case, funded by member companies and the federal government and lead by the private sector, Kosar said.