Opposition to Info Sharing Bill GrowsFeinstein Defends Measure as Balancing Privacy, Security Needs
As Senate leaders postponed a committee vote on cyberthreat information sharing legislation, a coalition of privacy and civil liberties groups mobilized to oppose the Cybersecurity Information Sharing Act of 2014.
See Also: Building the Modern SOC
The Senate Intelligence Committee had scheduled a vote on the measure on June 26, but postponed it because too many senators had left town already for the Independence Day holiday, says a spokesman for the committee's chair, Diane Feinstein, D-Calif. The committee has not scheduled a new date for a markup session, when panel members can amend and vote on the measure.
In a letter sent by the coalition of technology, privacy and civil liberties advocates to Feinstein and the committee's ranking Republican member, Saxby Chambliss of Georgia, the group contends the bill known as CISA could provide a backdoor to allow the National Security Agency to spy on Americans.
"The recent revelations about NSA surveillance show how important it is for Congress to legislate with care when communications privacy is at stake, as it is in this legislation," says Greg Nojeim, senior counsel for the Center for Democracy and Technology.
The coalition contends the bill would expedite a massive flow of private communications data to the NSA despite revelations leaked by former contractor Edward Snowden regarding NSA mass surveillance. The group says CISA reverses many of the privacy safeguards that were incorporated in the information sharing legislation the Senate last considered in 2012.
Feinstein Responds to Critics
Asked about the coalition's objections to the bill, Feinstein - it's prime sponsor - issued a statement saying the intelligence committee had met with and heard from privacy advocates and made changes where appropriate to address their concerns.
"I believe the bill strikes a balance between the need to share information to improve cybersecurity and the need to safeguard the information being shared," Feinstein says.
"The bill would enable and encourage voluntary sharing of cybersecurity threat information," she says. "It includes numerous privacy protections to ensure individuals and companies do not inappropriately share personally identifying information and to protect against the government's use of voluntarily shared cybersecurity information outside of narrow cyber-related purposes."
Coalition Lists Objections
Still, the coalition contends the bill does not go far enough to protect privacy and liberties. Specifically, the group lists six major concerns about the measure:
- Militarizes civilian cybersecurity program. CISA requires that cyberthreat indicators shared from the private sector with the Department of Homeland Security be immediately disseminated to the Department of Defense, which includes the NSA and U.S. Cyber Command.
- Provides inadequate use limitations. As written, the bill could create a backdoor for warrantless use of information the government receives for investigations and prosecutions of crimes unrelated to cybersecurity.
- Fails to protect personally identifiable information. The bill does not require the government to remove personal information before sharing cyberthreat indicators.
- Provides too broad liability protection for countermeasures. CISA defines "countermeasures" broadly, which invites reckless and carless use of countermeasures - actions taken against intruders - that could inadvertently harm bystanders.
- Arbitrarily harms average Internet users. Countermeasures could be employed against cyberthreats absent risk of liability by businesses or government agencies and could lead to use of countermeasures in response to mere "terms of service" violations.
- Infringes net neutrality policy. The bill doesn't include provisions clarifying that nothing in the law could be construed to modify or alter any "open Internet" rules the FCC might adopt.
Awaiting Word from White House
The Obama administration has yet to voice its support or opposition to CISA. But it has threatened to veto similar legislation that has passed the House of Representatives because it contends that bill, Cyber Intelligence Sharing and Protection Act, doesn't provide sufficient privacy and civil liberties protections and too broadly defines liability protections (see White House Threatens CISPA Veto, Again).
The mostly left-of-center coalition normally would be a natural constituency for President Obama, but the advocacy groups have differed with the president over other policies, such as NSA collection of data on Americans. Because the administration has yet to comment on the bill, it's unclear what influence these groups would have on the administration's stand on the legislation that has some bipartisan support.
Without cyberthreat information sharing legislation, many businesses would be reluctant to share cyberthreat information with the government and other businesses because they fear they could be sued under the government's antitrust law for illegally colluding with competitors. Though the Obama administration has assured businesses that they wouldn't be sued by the government, a statute would provide stronger protections (see Feds OK Businesses to Share Cyberthreat Info). At issue, at least between the president and the House, is how broad those liability protections should be.
In addition, such legislation would encourage businesses to share cyberthreat information in a manner that wouldn't require them to reveal trade secrets.
Pressure is mounting for Congress to vote on cyberthreat information sharing legislation. "Congress ought to act and do what it thinks is best and see where the administration is, and then deal back and forth," former NSA Director Keith Alexander told Information Security Media Group (see The 'Disappearance' of Keith Alexander). "That's how our constitution talks about it; perhaps we ought to use it."
Nearly two dozen organizations signed the letter, including the American Civil Liberties Union, American Library Association, Council on Islamic American Relations, Electronic Frontier Foundation and People for the American Way.