Crossroads Blog | CYBER SECURITY LAW AND POLICY

Legislation, Privacy, regulation

Cybersecurity Act May Challenge Public’s Right to Know: C-SPAN

Today (3/13) the Senate Judiciary Committee will hold a hearing on exemptions to the Freedom of Information Act (FOIA) and its relationship to pending cybersecurity legislation.  According to C-SPAN's website, some privacy advocates "have expressed concerns that the [CSA] expands the [DHS'] definition of 'critical infrastructure information,' exempting additional information from FOIA that is currently protected."

***

As he explains in his blog post for Lawfare, Paul Rosenzweig will be testifying in favor of the CSA before the Senate Judiciary Committee today.  Mr. Rosenzweig attached his testimony, which I have briefly summarized:

  • Cyber Threat information is a public good (like national defense) in that it is non-rivalrous and non-exclusive. 
  • The current law (i.e. the Electronic Communications Privacy Act and the Stored Communications Act) is either too ambiguous or too hostile to cyber threat information sharing.
  • As long as that ambiguity (or hostility) remains in effect, the private sector will not engage in essential information sharing.  Thus, "the legal regime therefore requires modification to authorize and enable the sharing of vital cyber threat and vulnerability information."
  • The bills before Congress (the CSA and Secure IT) help to relieve this uncertainity.  Private companies are wary of the legal consequences for sharing information, but the bills provide civil and criminal liability protections, hopefully assuaging those worries.
  • As a component of those liability protections, it is "essential that a blanket FOIA exemption be part of any new cybersecurity information-sharing legislation."

Again, you can find Mr. Rosenzweig's comments here, courtesy of Lawfare.

Leave a Reply

Legislation, Privacy, regulation

Cybersecurity Act May Challenge Public’s Right to Know: C-SPAN

Today (3/13) the Senate Judiciary Committee will hold a hearing on exemptions to the Freedom of Information Act (FOIA) and its relationship to pending cybersecurity legislation.  According to C-SPAN's website, some privacy advocates "have expressed concerns that the [CSA] expands the [DHS'] definition of 'critical infrastructure information,' exempting additional information from FOIA that is currently protected."

***

As he explains in his blog post for Lawfare, Paul Rosenzweig will be testifying in favor of the CSA before the Senate Judiciary Committee today.  Mr. Rosenzweig attached his testimony, which I have briefly summarized:

  • Cyber Threat information is a public good (like national defense) in that it is non-rivalrous and non-exclusive. 
  • The current law (i.e. the Electronic Communications Privacy Act and the Stored Communications Act) is either too ambiguous or too hostile to cyber threat information sharing.
  • As long as that ambiguity (or hostility) remains in effect, the private sector will not engage in essential information sharing.  Thus, "the legal regime therefore requires modification to authorize and enable the sharing of vital cyber threat and vulnerability information."
  • The bills before Congress (the CSA and Secure IT) help to relieve this uncertainity.  Private companies are wary of the legal consequences for sharing information, but the bills provide civil and criminal liability protections, hopefully assuaging those worries.
  • As a component of those liability protections, it is "essential that a blanket FOIA exemption be part of any new cybersecurity information-sharing legislation."

Again, you can find Mr. Rosenzweig's comments here, courtesy of Lawfare.

Leave a Reply