A major information-sharing bill that’s in the Senate right now would allow private organizations to share threat data with any government agency, something that the Department of Homeland Security says could have severe privacy implications and cause confusion and inefficiencies inside the federal government.
The bill, known as the Cybersecurity Information Sharing Act, would allow private companies and other organizations to share vulnerability information and threat indicators with government agencies under most circumstances. The United States federal government has an extensive internal information sharing program, which is coordinated through DHS’s National Cybersecurity and Communications Integration Center, a clearinghouse for threat data. Some of that data also is shared outside of the government, with a small number of private organizations.
The CISA bill would encourage companies to contribute their threat intelligence to a DHS portal, but also would allow them to share it any government agency, as long as it’s not prohibited by other laws. In a letter send to Sen. Al Franken (D-Minn.), DHS officials say the bill could raise significant privacy concerns.
“The President’s January 2015 cybersecurity information sharing proposal contemplates that all cybersecurity threat indicators shared with the government would be shared through the NCCIC, a non-law enforcement, non-intelligence center focused on network defense activities. Permitting sharing directly with law enforcement and intelligence entities will be of significant concern to the privacy and civil liberties communities,” the letter from Alejandro N. Mayorkas of DHS says.
“The authorization to share cyber threat indicators and defensive measures with ‘any other entity or the Federal Government,’ ‘notwithstanding any other provision of law’ could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers. (This concern is heightened by the expansive definitions of cyber threat indicators and defensive measures in the bill. Unlike the President’s proposal, the Senate bill includes “any other attribute of a cybersecurity threat” within its definition of cyber threat indicator and authorizes entities to employ defensive measures.)”
The letter, written in response to a letter last month from Franken to DHS Secretary Jeh Johnson, also says that if organizations are trying to share information through many different agencies, it could be come confusing and inefficient.
“Equally important, if cyber threat indicators are distributed amongst multiple agencies rather than initially provided through one entity, the complexity–for both government and businesses–and inefficiency of any information sharing program will markedly increase; developing a single, comprehensive picture of the range of cyber threats faced daily will become more difficult,” the letter says.
“This will limit the ability of DHS to connect the dots and proactively recognize emerging risks and help private and public organizations implement effective mitigations to reduce the likelihood of damaging incidents.”
Franken, an opponent of the bill, said that the privacy issues with the information sharing provisions are too great to allow the bill to go forward.
“I think all Americans have a fundamental right to privacy—and it’s especially important in light of advancing technologies that continually threaten to outpace our laws,” said Franken. “The Department of Homeland Security’s letter makes it overwhelmingly clear that, if the Senate moves forward with this cybersecurity information-sharing bill, we are at risk of sweeping away important privacy protections and civil liberties, and we would actually increase the difficulty and complexity of information sharing, undermining our nation’s cybersecurity objectives.”