Surveillance disclosures haunt search for common ground on cybersecurity

The revelations of bulk collection of telephonic and online data by U.S. spy agencies in the Edward Snowden leaks derailed the legislative debate on cybersecurity in 2013. Now the Obama administration and Congress are looking to get a cyber bill back on track, but the conversation has been altered by concerns among corporate players that their global brands have been diminished.

President Barack Obama looked to revive cybersecurity legislation in his State of the Union speech, and Republican leaders in Congress have indicated a willingness to work with the administration on a bill. A deal has proved elusive in part because of political disagreements over how information sharing between industry and government would work, and to what extent companies that share information with government would be protected against claims of privacy violations by their customers.

The administration proposal, if it gains the support of a few Senate Democrats, as appears likely, could go a long way toward easing concerns among industry about their exposure to lawsuits in the event they disclose personally identifiable information in the course of sharing cyber-threat profiles with government. A bipartisan bill floated by the Senate Select Committee on Intelligence during the lame-duck session is also in the mix.

"We're going to be looking at what are the concerns on both the White House bill and the Senate Intel bill," Sen. Ron Johnson told reporters after a Jan 28 hearing of the Homeland Security and Government Affairs Committee, designed to sound out industry on various recent proposals. "We're trying to get that out in the open -- that's the way you start that discussion." The Wisconsin Republican, who just took over as chairman of the panel, said he was "encouraged" by the hearing, and hopeful of getting a bill passed.

Industry heavyweight Microsoft, which has been defending its global data centers against the reach of U.S. orders in an ongoing case, is particularly wary of any new law that would give U.S law enforcement agencies more access to data on their customers.

"The biggest problem we have as a global company," Microsoft corporate vice president Scott Charney said in testimony at the hearing, "is customers in other countries say, 'will you turn over our data to the U.S. government.' That's what they're worried about." Charney also worries that over time business and institutional clients outside the U.S. will opt for local companies, to avoid the reach of U.S. law. "That in the long term for America would be a terrible thing."

Charney is also concerned that if a cybersecurity law is too intrusive, other countries where Microsoft operates will respond with their own laws that compel the production of threat information and other data. He advocates a relatively stripped down information-sharing system, in which personally identifiable data gleaned from threat information is stripped out at much as possible. Law enforcement or other agencies that seek more data for the purposes of criminal prosecution or to respond to threats should do so using existing legal channels. "Law enforcement and national security requests are distinct from information sharing, which centers on the voluntary sharing of information that enable stronger cyber defense," he said.

Another worry is the extent to which the government will store and repurpose data shared under the cybersecurity umbrella. The White House plan calls for the National Cybersecurity and Communications Integration Center at the Department of Homeland Security to serve as a clearinghouse for threat information. But the proposal provides for real-time sharing across government, including with defense and intelligence agencies.

"Cybersecurity information sharing could evolve into a surveillance program," said Gregory Nojeim, senior counsel at the Center for Democracy and Technology.

It's not clear whether the current round of cyber legislation will produce the kind of broad-based, grassroots opposition that doomed the Cyber Intelligence Sharing and Protection Act in 2012. But Microsoft's comments suggest that there could be industry support for stronger privacy protections than in previous bills.