Wednesday, April 30, 2014

Another Information-Sharing Draft Bill

There was a short article over on the WashingtonPost.com Monday about a draft Senate bill addressing information sharing with respect to cybersecurity. The editors were kind enough to share a link to the possible proposed legislation that is being crafted by Sen. Feinstein (D,CA) and Sen. Chambliss (R,GA).

It is way too early in the process to delve too far into this bill as it is way early in the legislative process and may die without being introduced. Having said that, there are some interesting provisions being considered. Before going into those I must warn readers that this is at heart an IT bill with no mention of control systems and I want to remind readers that Senate cybersecurity bills normally die with even less action than in the House.

There is the definition of the term ‘malicious reconnaissance’ {§2(15)} that is an apparent attempt to deal with the separation of cyber-attacks from the mere act of unauthorized access of a system. This combined with the reference to First Amendment protections in the definition of ‘cybersecurity threat’ would seem to protect political hacking of a system for information gathering purposes.

The draft bill would provide limitations on the government use of information voluntarily shared with the Federal government. Those limitations would include the prohibition of:

• Public disclosure under Federal, State and local disclosure laws;
• Use in regulatory actions;
• Use in criminal prosecutions (without prior written consent of original discloser).

It would provide anti-trust exemptions for cybersecurity information sharing between private entities. This would address the issue raised by recent ephemeral DOJ opinions about the non-applicability of anti-trust laws.


Finally, I must repeat my cautionary statement about the potential for this bill to move forward in the Senate. There have been many cybersecurity bills discussed in the Senate that were never introduced. Few of those that have been introduced ever saw any Committee action and none have made it to the floor for a vote. This is still an interesting IT security bill.

No comments:

 
/* Use this with templates/template-twocol.html */