On November 29, 2011, The United States House of Representatives announced a bill to “provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes”. The Bill, if it becomes law, will allow the director of National Intelligence to establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and to encourage the sharing of such intelligence.
This bill covers unclassified as well as classified information and will enable these private agencies to use such information to identify cyber threats in order to protect its property and relate the information back to the federal agencies or to other entities. The Bill also allows cyber security service or goods providers to use the information to protect the property of entities. There will be certain restrictions placed on the use of the information but the Bill leaves these open-ended. In addition, the Federal agencies may require a type of security clearance on an entity or persons within the entity.
‘Cyber threat intelligence’ is defined as follows:
The term ‘cyber threat intelligence’ means information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from —
(A) efforts to degrade, disrupt, or destroy such system or network;
or
(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information. Under the Bill the private entities shall be exempt from legal liability if the information is used in accordance with the law. The term information is similarly defined.
A few major organizations and major players in private industry wrote letters of support for this bill. While there are several federal agencies already cooperating on combatting cyber-security threats, the Bill would allow ease in the sharing of information on a timely basis and therefore reduce the regulatory burden, with an eye on the public goal of cyber security.
While on one hand, it is certainly applaudable that the United States government is taking a flexible view in allowing the ease of information sharing to protect public sector industry, there seems to be little direction in the way of guidelines.
The draft states: ”
(2) USE AND PROTECTION OF INFORMATION. Cyber threat information shared in accordance with paragraph
(1) —
(A) shall only be shared in accordance with any restrictions placed on the sharing of such information by the protected entity or self-protected entity authorizing such sharing, including, if requested, appropriate anonymization or minimization of such information;
(B) may not be used by an entity to gain an unfair competitive advantage to the detriment of the protected entity or the self-protected entity authorizing the sharing of information; and
(C) if shared with the Federal Government —
i – shall be exempt from disclosure under section 552 of title 5, United States Code;
ii – shall be considered proprietary information and shall not be disclosed to an entity outside of the Federal Govern- ment except as authorized by the entity sharing such information; and
(3) EXEMPTION FROM LIABILITY. – No civil or 12 criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self protected entity, or cybersecurity provider, acting in good faith —
(A) for using cybersecurity systems or sharing information in accordance with this section; or
(B) for not acting on information obtained or shared in accordance with this section.”
Since many of the private sector companies that would be certified under the law to obtain classified information are also multinational companies, it is prudent to adopt a policy whereby the individual or individuals who are entitled under the law to receive information, are also charged with the safeguarding of the information and the administration of legal framework guidelines. These individuals should be subject to legal liability and penalty for failure to comply in all cases and not free from liability if they acted under good faith.
“Good faith” is a subjective term under general commercial law. Being that compliance for classified as well as unclassified information is left to the private sector company, there should be more “meat” to the definitions. The damage that could be caused by the possible misuse of the information to gain an unfair competitive advantage against foreign worldwide competitors, may be great. In fact the use of the words, “self protecting” as opposed to “self-policing” in the Bill, degrades the integrity of the law and the U.S. lead for world cooperation in the war against cyber threats.
These legal terms bring forth a myriad of legal, contractual, and social issues. A law that clarifies set requirements of compliance and permits self-policing under threat of penalty would be in line with the export laws of the United States and similar regimes. A law that so greatly affects the internal operations of multinational entities should also protect worldwide competition and worldwide export obligations. Failure to do so, may inhibit the integrity of global information sharing.
“The best way to protect your own freedom is to watch everybody else’s back. That’s the essence of community.” — ski racer Bode Miller
Lori Solberg, Copyright, all rights reserved.
About the author: Lori Solberg (MBA, Adv.)
Former deputy general counsel of Rafael Advanced Defense Systems (international), Lori Solberg provides customized general and business advice to advanced technology and defense companies. She specializes in business market expansion in the defense and HLS fields worldwide as well as representation before international export control authorities.