As Congress prepares to move forward on critical cybersecurity legislation, some privacy and civil liberties advocates say that the biggest myth surrounding the proposal is that it would be voluntary. One writer, for instance, recently wrote this about the Cybersecurity Information Sharing Act (CISA):
The ‘cyber threat information’ that the government would be allowed to share with participating companies under the bill may, and foreseeably will, provide so much of a competitive advantage—the advantage of being ‘in the know’—that companies will be forced to participate simply to keep up with their participating competitors. Not to comply might actually harm their corporate interests and put their customers at risk.
This line of thinking seriously misses the voluntary nature of CISA on several fronts.
First, members of the Protecting America’s Cyber Networks Coalition and many other cybersecurity stakeholders have successfully pressed Congress from the outset to write legislation in a way that would restrict the government from compelling companies to turn over data of any kind. To this extent, industry and privacy groups agree on the critical point that firms must not be forced to report to the government.
We also believe, as privacy advocates surely do, that foreign governments must not enact cyber threat-sharing laws obliging companies to turn over information. Mandating the disclosure of cyber threat data and defensive measures would damage trusted relationships among businesses, consumers, and government entities that are needed to guard sensitive commercial and customer information from cyberattacks.
Second, CISA clearly contains language prohibiting a “new information sharing relationship” between a business and a government agency or department. The bill prevents the government from making a private entity amend or break a contract that it has with a business or government partner.
CISA also contains an “anti-tasking” provision, which ensures that a business is not obliged to provide information to the federal government. Indeed, the committee report that accompanies the legislation provides another backstop, saying that CISA “creates a completely voluntary information-sharing framework.” Both the letter and spirit of CISA show that “voluntary” indeed means voluntary.
Third, a proposed amendment to CISA, expected to be offered by Senator Jeff Flake (R-AZ), would further reinforce the voluntary nature of CISA – that is, that the legislation is meant to be optional and not coercive. Already garnering broad support, the amendment has a good shot of being adopted.
Nothing about CISA would establish a compulsory information-sharing process; if it did, the business community would vigorously reject it. Cybersecurity incident reporting is most powerful when government and industry collaborate, and that – not some obligatory system – is what CISA promotes.
CISA has been thoughtfully crafted to protect individuals’ privacy, while providing greater legal certainty to increase the timely exchange of actionable cyber threat information. The United States and its businesses need the Senate to bring up CISA as soon as lawmakers return from their summer recess. As far as we’re concerned, moving the bill to the president’s desk should be the only thing about CISA that isn’t voluntary.