By Daniel L. Farris
The House of Representatives passed the Protecting Cyber Networks Act (H.R.1560) (“PCNA”) yesterday, amidst growing pressure from industry to enact legislation that would help companies harden key infrastructure and respond to attacks in a more concerted fashion. The PCNA passed easily, 307-116 with bipartisan support, over protests from privacy and civil liberties groups.
Earlier this week, three major trade associations – the National Cable & Telecommunications Association, CTIA – The Wireless Association, and USTelecom – the Broadband Association – sent a letter to Speaker Boehner and Minority Leader Pelosi urging them to pass two important cybersecurity bills, the PCNA, and the National Cybersecurity Protection Advancement Act (H.R. 1731) (“NCPAA”). Noting that companies in the Cable & Telecom, Wireless/Cellular Telephone, and Broadband & Network Infrastructure industries are “on the front lines” of the fight with cyber criminals, the associations pressed Congress to “pass both bills, without counterproductive amendments that would make America’s information systems less safe or discourage private sector participation for fear of attracting litigation.”
The PCNA is designed to improve communication and sharing of information about cyber threats, vulnerabilities, and cyber attacks between corporations and government agencies. Congress hopes that the PCNA will provide companies with a real-time notice and response system, via government agencies like the NSA, to better deter attacks and warn other network and infrastructure operators about new techniques being deployed by advanced hackers.
While the PCNA was supported by industry, it was strongly opposed by 55 privacy and civil liberties groups, who sent their own letter to Congress. Critics, who include the ACLU, Electric Frontier Foundation, Freedom of the Press Foundation, and Human Rights Watch, say that the PCNA will “significantly increase the National Security Agency’s (NSA’s) access to personal information, and authorize the federal government to use that information for a myriad of purposes unrelated to cybersecurity.” Two key concerns are portions of the PCNA that allow companies to share data with the NSA that might otherwise violate the Electronic Communications Privacy Act or the Wiretap Act, and the absence of any limitation on the government’s use of shared data for cybersecurity purposes.
The PCNA does provide some privacy provisions, however, including a requirement that companies remove or scrub Personally Identifying Information unrelated to or unnecessary for analysis of the alleged threat. These safeguards, combined with a slew of high profile data breaches in 2014, have caused President Obama to expressing support for the PCNA and its Senate counterpart, the Cybersecurity Information Sharing Act and Protection Act (“CISA”), reversing his prior threat to veto the CISA in 2013.
Congress plans to vote today on the NCPAA, which would grant companies protection against liability for sharing data with the Department of Homeland Security. The NCPAA is viewed by industry as critical companion legislation to enable more open sharing of cybersecurity threat information, because without liability protection companies could expose themselves to class actions or increased regulatory enforcement actions.
By Daniel L. Farris