Yesterday I posted about House of Representatives action encouraging companies to share with the Federal government information bearing on cyber security. Intrigued by substantial negative votes cast against what looked much like a no-brainer, I sought some texture on the issue from Congressman Mike Capuano (D– MA and a thoughtful liberal voice in the Congress). Mike’s Newsletter, received today, is pretty interesting.
It seems there were two separate House bills which were passed and Mike voted against both. The first (Protecting Cyber Networks Act) requires the Director of National Intelligence to establish a framework for sharing company cyber breach information while including consumer privacy protections. In order to foster company participation, there are strong insulations against company liability for sharing private data with whichever Federal agency, in the company’s view, is best equipped to analyze the issue. However, under the bill, that Federal agency must immediately share the information with the Department of Defense and the National Security Agency. This bill passed 307-116 with overwhelming Republican support and mixed Democratic support (105 yeas, 79 Democratic nays).
A second related bill garnered far more robust support on both sides of the aisle, requiring companies to take “reasonable efforts” to remove personal information. It also establishes Homeland Security Department’s National Cybersecurity and Communications Integration Center as the lead Federal civilian agency on cyber threats.
Both bills worried Capuano relative to inadequate consumer protection. Perhaps part of the concern is the interweaving of the US response to cyber threats with sensitivity to international governmental participation in domestic US hacking. The existing infrastructure already is keyed significantly to this risk, involving the FBI, Homeland Security and Immigration with significant anti-cyber-risk functions. The tension between protecting us against the potential of massive damage from off-shore and creating a hyper-intrusive governmental bureaucracy, already pervading the debate as to free speech issues over the internet and our phone system, now is evident even in the effort to protect our business computer networks. This is not an area where clear guidelines will be generated any time soon.