A U.S. policy report to be released today says Congress should preempt certain state and federal regulations in order to allow companies the freedom to share with the government information about cyber security threats and attacks without fear of breaking data breach and other laws.
More information sharing is needed between companies and government agencies in order to help fend off attacks from hacktivists, criminals, and nation-states that target computer networks in the United States, according to the Cyber Security Task Force: Public-Private Information Sharing report written by the Homeland Security Project at the non-profit Bipartisan Policy Center.
"From October 2011 through February 2012, over 50,000 cyber attacks on private and government networks were reported to the Department of Homeland Security (DHS), with 86 of those attacks taking place on critical infrastructure networks," the report says, citing a New York Times article. Only a small number of the incidents are reported to the Department of Homeland Security, mostly because companies are concerned about legal consequences, the report says.
"The resolution of numerous legal impediments -- some real, some perceived -- is asserted by various stakeholders as a predicate to more robust cyber threat information sharing among private sector entities and between the private sector and the government," the report says. "Perceptions of such impediments have created a collective action problem in which companies hold threat and vulnerability information close, rather than sharing it with each other or the government. Information that should be shared includes, but is not limited to, malware threat signatures, known malicious IP addresses, and immediate cyber attack incident details."
To resolve this dilemma, the report proposes offering some safe harbors for cyber security-related information sharing. "Congress should preempt state breach notification laws and federal unfair trade practice enforcement actions and streamline notifications under a federal standard," the report says. "It should also provide a safe harbor for companies when there is no actual risk of consumers having their data misused. This regime would help to encourage sharing with the government by reducing the risk that sharing about incidents would result in violations of data breach and unfair trade practice laws."
For example, groups like the Anti-Phishing Working Group should be able to broadly share data about malicious IP addresses that are used in botnet, phishing and other malware attacks without fear of being sued, the report says.
Meanwhile, the Wiretap Act that the Electronic Communications Privacy Act amended has deterred ISPs from monitoring network traffic for cyber threats, according to the report. The acts prohibit the provider from acting as an agent of law enforcement and require a nexus between the device targeted for interception and fraudulent activity, among other things, but the law is not necessarily clear as to what extent network-side or subscriber-specific monitoring qualifies for exceptions, the report says.
Statutes should be amended so information technology services can give consent on behalf of their users and the laws should be expanded to include companies beyond ISPs and state laws that require two parties to give consent to interception should be overridden so that consent from one party will allow it, the document suggests. Government agencies also should not have to get a subpoena to get the data if conditions are such that privacy and civil liberties are protected, the report says.
Finally, the report recommends that all the disparate state data breach laws should be unified into one national standard and punitive lawsuits should be eliminated.
A privacy advocate was not too keen on the recommendations. The report basically seeks to roll back privacy provisions in current law and create immunity for companies that assist the government, as well as limit the circumstances under which companies would be required to notify customers of data breaches, said Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC).
"And the proposal to limit the authority of the FTC to police unfair and deceptive trade practices would keep users in the dark about companies with bad security practices,"he said in an e-mail to CNET. "Memo to the 'Bipartisan Policy Center's Homeland Security Project:' If companies don't like complying with privacy obligations, perhaps they should not collect so much personal information!'"
Retired General Michael Hayden, co-chair of the Cyber Security Task Force, was not available for comment on Wednesday.
The report's specific recommends are:
- Protect cyber threat information provided to the government.
- Establish mechanisms to protect privacy and civil liberties for information shared with the government.
- Provide liability protections for cyber threat information clearinghouses that collect and disseminate cyber threat and vulnerability information.
- Amend communications laws to clearly authorize communications companies to monitor and intercept malicious Internet communications with the consent of a company or customer, and share related information with the federal government.
- Legislation should provide that the president may certify to congress that an emergency exists from an ongoing cyber attack or national security threat. This certification would trigger specific authorities to mandate that reasonable countermeasures be taken by companies that generate, store, route or distribute online information and by other appropriate private-sector companies, which would be protected from liability for actions that are consistent with government instructions.
- Require the government to push technical cyber threat data, which can be used to protect networks, to the private sector in an unclassified format.
- Require the government to work with critical infrastructure companies to identify key personnel who should receive clearance to review cyber threat and vulnerability information.
- Streamline data breach notification requirements to incidents where there is a credible risk of harm to consumers and establish a "safe harbor" policy that would exempt a company from state data breach notification laws and federal unfair trade practice enforcement actions following a security breach.