Another cybersecurity proposal is wending its way through the U.S. Congress, this one designed to relax the liability of Internet service providers (ISPs) when reporting a potential threat.
The Cyber Security and Enhancement Act of 2001 (HR-3482), introduced in December by Texas Republican Representative Lamar Smith, also calls for strengthened penalties for cybercrime and increased funding for a government-run center to detect security threats. The bill is one of a handful of congressional initiatives designed to fortify information security, including the Cyber Security Research and Development Act, which was approved by the U.S. House of Representatives last week, and the Cybersecurity Preparedness Act of 2002 and the Cybersecurity Research and Education Act of 2002, both introduced in the Senate in January.
Representative Smith, chairman of the House Judiciary Committee’s Subcommittee on Crime, held a hearing Tuesday regarding his proposed legislation. The bill is scheduled for markup, or review, in the crime subcommittee on Thursday.
The bill builds on the USA Patriot Act signed by President George W. Bush last October that included a number of antiterrorism measures.
The Cyber Security and Enhancement Act of 2001 proposes that the U.S. Sentencing Commission strengthen penalties related to cybercrime so that they better reflect the seriousness of the crime. It also allots US$58 million in funding to the U.S. Federal Bureau of Investigation’s National Infrastructure Protection Center (NIPC), which could serve as a national focal point for coordinating threat assessments and responses.
It also would provide liability protection to ISPs that report to officials suspected cybercrime, such as an e-mail bomb threat that crosses an ISP’s network. While the Patriot Act authorized such reporting, ISPs have to show reasonable belief of immediate risk of death or personal injury, according to Clint Smith, president of the U.S. Internet Service Providers Association (USISPA), who testified at Tuesday’s hearing and who supports the bill. Showing reasonable belief of immediate risk puts a burden on ISPs and might prevent them from reporting a suspected threat to officials, Smith said.
The Cyber Security and Enhancement Act of 2001 would remove the “immediate” condition of the Patriot Act and replace “reasonable” belief with “good faith” belief of a threat, Smith said. The bill also explicitly grants ISPs immunity from liability when they act in good faith, he said.
But an official with the Center for Democracy and Technology (CDT), an Internet civil liberties public interest group, said the bill would threaten the privacy of communication.
“As drafted, (the bill) would allow many more disclosures of sensitive communications without any court oversight or notice to subscribers,” read the written testimony of Alan Davidson, associate director of CDT, who also spoke at Tuesday’s hearing.
The bill has loopholes, Davidson said, because it expands ISP disclosure to not just law enforcement officials, but any government entity. Because the bill removes the requirement that a suspected threat be immediate, ISPs could disclose communications describing an event far in the future, or even a hypothetical one, he said. And without the requirement to prove reasonable belief of risk, ISPs could report communications without ramification.
Safeguards such as requiring notice to a subscriber that their communication was reported to officials should be put in place, Davidson added.
The House Judiciary Committee can be found on the Web athttp://www.house.gov/judiciary/
The USISPA can be reached at +1-202-862-3816 or athttp://www.usispa.org/
CDT can be reached at +1-202-637-9800 or athttp://www.cdt.org/