FAS

Cybersecurity Information Sharing: A Legal Morass, Says CRS

03.23.15 | 2 min read | Text by Steven Aftergood

Several pending bills would promote increased sharing of cybersecurity-related information — such as threat intelligence and system vulnerabilities — in order to combat the perceived rise in the frequency and intensity of cyber attacks against private and government entities.

But such information sharing is easier said than done, according to a new report from the Congressional Research Service, because it involves a thicket of conflicting and perhaps incompatible laws and policy objectives.

“The legal issues surrounding cybersecurity information sharing… are complex and have few certain resolutions.” A copy of the CRS report was obtained by Secrecy News. See Cybersecurity and Information Sharing: Legal Challenges and Solutions, March 16, 2015.

Cyber information sharing takes at least three different forms: the release of cyber intelligence from government to the private sector, information sharing among private entities, and the transfer of threat information from private entities to government agencies.

“While collectively these three variants on the concept of cyber-information sharing have some commonalities, each also raises separate legal challenges that may impede cyber-intelligence dissemination more generally,” said the CRS report, which examines the legal ramifications of each category in turn.

Among the concerns at issue are: the potential for liability associate with disclosure of cybersecurity information, inappropriate release of private information through open government laws, loss of intellectual property, and potential compromise of personal privacy rights.

All of these create a legal morass that may be unreconcilable.

“A fundamental question lawmakers may need to contemplate is how restrictions that require close government scrutiny and control over shared cyber-information can be squared with other goals of cyber-information sharing legislation, like requirements that received information be disseminated in an almost instantaneous fashion,” the CRS report said.

“Ultimately, because the goals of cyber-information legislation are often diametrically opposed, it may simply be impossible for information sharing legislation to simultaneously promote the rapid and robust collection and dissemination of cyber-intelligence by the federal government, while also ensuring that the government respects the property and privacy interests implicated by such information sharing,” the report said.

Other new or newly updated CRS reports that Congress has withheld from public distribution include the following.

Cybersecurity: Authoritative Reports and Resources, by Topic, March 13, 2015

EPA’s Proposed Clean Power Plan: Conversion to Mass-Based Emission Targets, March 17, 2015

Arctic National Wildlife Refuge (ANWR): A Primer for the 114th Congress, March 17, 2015

Federal Research and Development Funding: FY2016, March 18, 2015

The Federal Communications Commission: Current Structure and Its Role in the Changing Telecommunications Landscape, March 16, 2015

Mandatory Spending Since 1962, March 18, 2015

Jordan: Background and U.S. Relations, March 17, 2015

Balancing Tourism against Terrorism: The Visa Waiver Program, CRS Insights, March 13, 2015

U.S. Strategic Nuclear Forces: Background, Developments, and Issues, March 18, 2015

 

publications
See all publications
Emerging Technology
day one project
Policy Memo
The Medicare Advance Healthcare Directive Enrollment (MAHDE) Initiative: Supporting Advance Care Planning for Older Medicare Beneficiaries

At least 40% of Medicare beneficiaries do not have a documented AHCD. In the absence of one, medical professionals may perform major and costly interventions unknowingly against a patient’s wishes. 

12.02.24 | 14 min read
read more
Emerging Technology
day one project
Policy Memo
Driving Equitable Healthcare Innovations through an AI for Medicaid (AIM) Initiative

AI has transformative potential in the public health space, but innovation driven primarily by the private sector today may be exacerbating existing disparities by training models.

12.02.24 | 6 min read
read more
Emerging Technology
day one project
Policy Memo
Strategies to Accelerate and Expand Access to the U.S. Innovation Economy

With targeted policy interventions, we can efficiently and effectively support the U.S. innovation economy through the translation of breakthrough scientific research from the lab to the market.

11.27.24 | 16 min read
read more
Government Capacity
day one project
Policy Memo
Collaborative Intelligence: Harnessing Crowd Forecasting for National Security

Crowd forecasting methods offer a systematic approach to quantifying the U.S. intelligence community’s uncertainty about the future and predicting the impact of interventions, allowing decision-makers to strategize effectively and allocate resources by outlining risks and tradeoffs in a legible format.

11.27.24 | 5 min read
read more