There are currently three major cybersecurity-related bills pending in the 114th Congress that address information sharing among private entities and between private entities and the federal government: the Protecting Cyber Networks Act (PCNA), H.R. 1560, the National Cybersecurity Protection Advancement Act of 2015 (NCPAA), H.R. 1731, and the Cyber Security Information Act of 2015 (CISA), S. 754. Some of the key issues that need to be resolved across these bills include: which agency will be designated as the lead as a clearinghouse for cyber threat information, what liability protections will be granted to those companies that do share information, and whether the structures established under any of these bills will also facilitate greater sharing of government threat information with the private sector. Although the bills all provide that existing reporting requirements will not be disturbed, such as those for Department of Defense “(DOD”) contractors, it remains unclear how these different reporting schemes will interact. Similarly, these bills do not address a provision in the House version of the 2016 National Defense Authorization Act that would provide liability protection to certain DOD contractors for properly reporting cyber incidents on their networks and information systems.

Restrictions on the sharing of cyber threat and vulnerability information are often raised as significant barriers to effective cybersecurity. But the sharing of such information is not without risk. In particular, private entities have raised concerns about how the government would use this information and whether such disclosures could result in antitrust, privacy or other legal complications. These bills look to increase incentives for cooperation between the government and the private sector in fending off cyber-attacks by encouraging private companies to voluntarily share information about the particular traits of cyber-attacks—what the bills refer to as “cyber threat indicators”—that they have previously encountered. In response to some of the concerns previously voiced by industry, these bills provide civil suit immunity for private entities that elect to share their information with each other and with the government. The bills also contain liability protection for contractors who monitor government computer systems. What follows is a brief comparison of all three major bills and why their different approaches may or may not benefit government contractors.

The House Bills

The PCNA is a product of the House Select Committee on Intelligence, and is intended to promote the voluntary sharing of intelligence related to “cybersecurity threats,” with sharing to be coordinated by the Director of National Intelligence (DNI). It is sponsored by the Committee’s chairman, Devin Nunes (R-CA), and has eight cosponsors, five of whom are Democrats. As previously reported by Covington’s Inside Privacy Blog, it was passed by the House with 307 votes in favor on April 22. The NCPAA is intended to amend the Homeland Security Act so that the Department of Homeland Security (DHS) coordinates the sharing of cyber threat indicators. It is sponsored by two Republicans, including House Homeland Security Chairman Michael McCaul (R-TX). It was passed by the House with 355 votes in favor on April 23.  Both bills were combined into H.R. 1560 — making the PCNA Title I and the NCPAA Title II — and then received by the Senate on April 27.

The Senate Bill

The Senate’s bill, CISA, is a product of the Select Committee on Intelligence. The Committee’s report is available here. Senate Republicans tried and failed to add CISA to the Senate 2016 National Defense Authorization Bill on June 11, 2015, thus leaving passage of the bill out of the Senate and into conference with the House unclear.[1]

Important Features of All Three Major Bills

  1. A Voluntary Process

All three bills state that the provisions in the bills are not intended to alter current contractual agreements between entities (or contractors and federal entities) with regard to reporting cyber incidents. For example, section 109(g) of the PCNA states that “[n]othing in this title shall be construed to…amend, repeal, or supersede any current or future contractual agreement…between any non-Federal entity and a Federal entity.” Similar provisions are contained in the NCPAA and in CISA. It is unclear, however, whether the limitations on liability proposed for voluntary sharing of information could be extended to the reports currently required for cyber incidents involving unclassified controlled technical information (“UCTI”). Moreover, on April 27, 2015, House Armed Services Committee Chairman Mac Thornberry (R-TX) proposed an amendment to the 2016 NDAA that would provide liability protection to certain DOD contractors for properly reporting cyber incidents on their networks and information systems. If this provision is passed in the 2016 NDAA, it may need to be reconciled with the liability protections in the proposed bills for voluntary sharing of information.

Information sharing under these bills is intended as a voluntary process. All three bills contain an “anti-tasking restriction,” which prevents the federal government from requiring private entities to share information about cybersecurity threats. The bills also prohibit the government from conditioning the award of the contract on the provision of information about cyber threat indicators by the offeror. Furthermore, all three bills contain a clause protecting from any liability connected to choosing not to share information pursuant to the bills. Presumably, however, this does not prevent agencies, such as DOD and the Intelligence Community from imposing separate reporting requirements on a regulatory and contractual basis as currently exists for certain defense related information. Nor do these bills appear to alter existing voluntary information sharing relationships such as the Defense Industrial Base voluntary sharing initiative.

  1. Liability Protections for the Sharing of Cyber Threat Indicators

Because the sharing of cyber indicators is voluntary, the bills attempt to encourage participation by providing companies with immunity to any civil suit connected to disclosure pursuant to the bills. Thus, under any of the three proposed regimes, private companies who share cyber threat indicators with each other or with the government are protected against suits brought by those whose private information may have been inadvertently shared.  These protections have led to some criticism of the bills in the media, especially by privacy advocates. In particular, many companies have relationships with the FBI and it is unclear whether the liability protections would extend to information shared with law enforcement. Both the PCNA and CISA authorize the government to use any cyber threat indicators provided to it not only for “cybersecurity purposes,” but for a number of law enforcement purposes, including the prosecution of the theft of trade secrets.

There are also a few additional legal protections built into each bill that concern sharing information with the government in particular. Sharing cyber threat indicators does not entail a waiver of any privilege or protection, including trade secret protection. Further, under all three bills, the sharing of cyber threat indicators may not be subject to any rules or regulations concerning ex parte communications with federal officials.

Still, the protection provided by the bills is not absolute; those submitting information about cyber threat indicators must scrub the information to make sure they are not providing personally identifying information that is not related to the underlying threat. Those who engage in “willful misconduct,” or, in the case of CISA, “gross negligence” when sharing this information and scrubbing it of personal data may still be held liable.

  1. A Lack of Reciprocity

Perhaps the biggest downside of all three bills for many government contractors is that there does not appear to be any immediate, direct benefit to sharing information with the government. While contractors who share information with the government cannot be held legally liable for the information they shared under normal circumstances, they also receive no special consideration in exchange for sharing this information. While a general climate in which information about cyber threat indicators is spread rapidly could be beneficial, it would appear from the current bills that there are many benefits associated with receiving information about cyber threat indicators, and few benefits associated with providing that information. This lack of incentive has been noted by commentators, including the Congressional Research Service.

  1. Monitoring and Defensive Measures

Contractors who provide cybersecurity services may note that all three bills expressly permit private entities to monitor and defend the computer systems of federal agencies, contingent on written authorization. Under the bills, “monitoring” generally involves scanning the contents of a computer system, while “defensive measures” are actions or other measures used on information systems that prevent or mitigate known or suspected cybersecurity risks, threats, or security vulnerabilities.  The PCNA and CISA specify that private entities will be protected from liability related to engaging in “monitoring” of government and private computer systems. The NCPAA also provides a liability exception, a textual difference being that it uses the term “Network Awareness” as opposed to “Monitor.” However, none of the three bills provides liability exception for a private company’s operation of a defensive measure on a government or third party information system if such defensive measure causes harm to that system. Interpreting which actions are monitoring and which actions rise to a “defensive measure” could be another challenge for contractors. In May, Assistant Attorney General Leslie Caldwell stated at the Georgetown Cybersecurity Law Institute conference that the Department of Justice is “considering whether to offer guidance on other types of effective and truly defensive countermeasures that are considered to be beneficial by cybersecurity expert.” The guidance would not address hacking back, which DOJ considers unlawful under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, but the guidance may illustrate permissible steps that companies could take to address cyber threats. Her full comments are linked here.

Important Differences

  1. Different Reporting Structures

The principle difference between PCNA and CISA on one hand, and the NCPAA on the other, is the chosen method for how information about cyber-security indicators is to be shared with the government. The PCNA states that information is to be shared with “appropriate federal entities except DOD,” which includes most major departments; procedures governing the sharing will developed by the DNI. The PCNA also provides specific requirements for the Administration’s newly created Cyber Threat Intelligence Integration Center, which including requiring it to be located within the DNI and serve as the “the primary organization within the Federal Government for analyzing and integrating all intelligence possessed or acquired by the United States pertaining to cyber threats.”  CISA specifies that information is to be shared with “the federal government through [a] real-time process” developed by DHS. The NCPAA also looks to DHS, and cites the agency’s “National Cybersecurity and Communications Integration Center” (NCCIC) as the clearinghouse for data. Any final law would need to reconcile this reporting scheme.

The Bottom Line

The bottom line for most contractors is that any current contractual obligations to report cyber incidents should not be altered by any of the three cybersecurity bills currently pending. Under the bills, the government cannot condition the award of a contract on the provision requiring the sharing of cybersecurity threat information. However, the bills do not eliminate existing mandatory reporting requirements, nor do they impose limits on any new such requirements. Those interested in voluntarily sharing cyber threat indicators with the government or other non-federal entities may benefit from protection from the liability limitations in the bills, but will not receive any special compensation for sharing. Contractors who monitor federal computer systems will need to understand the line between monitoring and defensive measures to take advantage of the liability limitations in any bill that is finally passed. Although these bills appear to be a step in the right direction as far as limitations of liability, some private firms, especially those in the commercial sector, are still looking for more guidance and threat information from the government.

* Peter Terenzio is a summer associate at Covington & Burling LLP.  He is a student at the Georgetown University Law Center.

[1] There are two other legislative proposals in addition to the PCNA, NCPAA, and CISA. The Cyber Intelligence Sharing and Protection Act, H.R. 234, has seen no action since being introduced in the House early in 2015. The Senate’s Cyber Threat Sharing Act of 2015, S. 456, is similar to a White House legislative proposal. This bill has similarly remained dormant since first being introduced. Neither of these proposed laws contain the depth of the three major bills.

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Photo of Peter Terenzio Peter Terenzio

Peter Terenzio routinely advises clients regarding the multiple regulatory regimes that apply to federal contractors. His practice also extends outside of traditional government procurement contracts to include federal grants and Other Transaction Authority (OTA) research, prototype, and production agreements.

Among other things, Peter…

Peter Terenzio routinely advises clients regarding the multiple regulatory regimes that apply to federal contractors. His practice also extends outside of traditional government procurement contracts to include federal grants and Other Transaction Authority (OTA) research, prototype, and production agreements.

Among other things, Peter regularly helps clients with the constantly evolving domestic-preference requirements promulgated pursuant to various federal laws, including, for example, the Buy American Act (BAA) and Trade Agreements Act (TAA), but also including more recently the Inflation Reduction Act (IRA) and Infrastructure Investment and Jobs Act (IIJA). He also has particular experience with helping clients navigate the complicated prevailing wage rules imposed by the Davis Bacon Act (DBA) and Service Contact Act (SCA). Peter has used this regulatory knowledge to help clients negotiate the specifics of their contracts, grants, and OTA agreements.

Peter also has significant experience with the disputes that may arise during the execution of government prime contracts. He knows how to work closely with the client’s subject matter experts to prepare and submit detailed requests for equitable adjustment (REAs) in order to secure much-needed price or schedule relief. Where necessary, he has assisted clients with converting their REAs into certified claims, and when disputes cannot be resolved at the Contracting Officer level, he has helped clients vindicate their contractual rights in litigation before the Boards of Contract Appeals.