It appears that almost nobody who felt a compulsion to comment on this took the trouble to read the summary, let alone the full text, of Senator Burr's bill, which appears to have two basic purposes. The first requires the federal government to share knowledge with other governments and the private sector about computer security threats and contains explicit requirements to remove personal and personally identifying information from the shared material (with an exception). The second is to allow(but not compel) other government and private entities to share such information with the federal government for specific purposes related to ensuring and improving computer security. It does not appear to allow monitoring or surveillance that is not probably legal now under contract law, although it makes it explicit and allows businesses to collaborate to a degree on information security without risking antitrust action, and offers protection for proprietary information in the form of exemption from Freedom of Information Act release. It also allows government use of the information for specified law enforcement and other purposes, including, one supposes, by the FBI and NSA to identify and attempt to interdict ongoing threats.
The bill has some vagueness and parts might be improved, including at least the following.
- clarification of the "person not directly related to a cybersecurity threat" whose identifying and other information is not required to be removed from data the Federal Government shares;
- an explicit requirement that personal and person identifying information be removed by those submitting threat information to the Federal Government; as the bill stands, this is left for the Attorney General to define in required guidelines;
- potential use of the collected threat information to inform development and implementation of information system regulations, better left out of this bill and put into any later legislation aimed at information security regulation;
- the bill incorporates part of a document "National Strategy for Trusted Identities in Cyberspace" that the President issued in 2011 that I thought a bit troublesome then and probably still would.
Senator Wyden and others no doubt will address these and other areas with amendments.
This bill probably should be severed from the National Defense Authorization Act. Its subject is important enough, and it has enough potential and actual problems that it would be better considered separately. In addition, the governments and private entities have plenty of other information assurance work to do before lack of threat information sharing becomes a significant impediment. It is not, however, the product of a seriously deranged would-be tyrant, as some might have it.
-