On April 22, the U.S. House of Representatives advanced a cybersecurity information-sharing act. The thrust of the Act is to provide policies and procedures for the sharing of cyberthreat indicators and defensive measures between and among private entities and local, state, tribal, and federal governments. Many see the liability protection for sharing such information—provided it is shared according to the Act’s privacy scrubbing and other protections—as a key incentive for companies to participate.
However, Steptoe & Johnson’s weekly Cyberlaw Podcast observed a potentially fatal disincentive in the language. As written, the bill does not authorize any defensive measure that "destroys, renders unusable or inaccessible (in whole or in part) [emphasis added]...information stored on...[an] information system not owned by” the entity that operates or authorizes the defensive measure’s use on its behalf.
By definition, encryption is the application of an algorithm which scrambles data so that it cannot be read without a key to undo the algorithm (decryption). This sounds a lot like something that takes data and renders it “unusable or inaccessible (in whole or in part).”
The Steptoe & Johnson podcasters claim that if a company encrypts their data, and a hacker steals it and parks it on his hard drive, there may not be liability protection for the data on the hacker’s computer since the encryption made the data unusable. Steptoe & Johnson only discussed the House information-sharing bill. However, Section 2 of the Senate’s cyberinformation-sharing bill defines a “defensive measure” very similarly.
Presumably, whichever bill is sent to the President will preserve this language, as the difference between the House and Senate definitions in this case (to a non-lawyer at least) is insubstantial. Unfortunately, the debate could get bogged down over the semantic difference between “unusable” and “inaccessible,” or the even-more ridiculous distinction of “belonging to” versus “owning.”
If the Steptoe & Johnson interpretation holds, it may undermine the chances that these info-sharing efforts become law. The original intent of this language, according to the committee report on the Act, was to prevent “hacking-back”. On April 29, several House Oversight Committee members championed the importance of encryption to both protect consumers and, in fact, prevent crime. Furthermore, they questioned law enforcement witnesses who insisted on a backdoor, with one Congressman calling it “technologically stupid”.
Given the potentially negative consequences to encryption, this language should be re-examined as the Senate and House bills are debated and reconciled in the coming months. Otherwise, if the Steptoe & Johnson interpretation prevails, Congress will be undermining the very tools it claims to support in safeguarding Americans’ private information.