While Congress is enjoying its annual summer recess, privacy advocates are worried that the White House’s recent endorsement of the controversial CISA bill–which has been criticized by DHS officials, among others–will push the information-sharing bill over the goal line.
The Cybersecurity Information Sharing Act is the latest incarnation of Congress’s decade-long effort to legislate some form of threat and vulnerability information sharing. The bill is a close cousin of the much-maligned CISPA measure from several years ago, and it contains several provisions that have not just privacy advocates and security experts worried, but also some government officials. CISA is designed to allow private companies to share threat intelligence with many government agencies in most cases. Right now, this kind of activity is run through a portal operated by the Department of Homeland Security and DHS officials said earlier this month that allowing companies to funnel information to any agency could be problematic.
“The authorization to share cyber threat indicators and defensive measures with ‘any other entity or the Federal Government,’ ‘notwithstanding any other provision of law’ could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers. (This concern is heightened by the expansive definitions of cyber threat indicators and defensive measures in the bill. Unlike the President’s proposal, the Senate bill includes ‘any other attribute of a cybersecurity threat’ within its definition of cyber threat indicator and authorizes entities to employ defensive measures.),” a letter from Alejandro N. Mayorkas of DHS to Sen. Al Franken (D-Minn.) says.
The CISA bill has drawn criticism from many quarters, but the Obama administration is encouraging the Senate to pass the bill, according to a report by The Hill. The EFF is concerned that the White House’s endorsement will give CISA the momentum it needs to pass. One of the EFF’s key concerns with CISA is that it doesn’t have a requirement for companies to strip out unrelated personal information before sharing it with the government.
The Obama administration threatened in 2012 to veto CISPA, but is putting its weight behind this newest version of the bill.
“The administration has invested immense capital into looking strong on cybersecurity since January. And instead of publishing another veto threat, the White House Press Secretary urged the Senate to pass CISA. There was no deep analysis as in 2012. There was no explanation about CISA’s own privacy problems. And there was no acknowledgement about the White House’s sudden change in position,” Mark Jaycox of the EFF said in a blog post.
Congress is due back from its recess after Labor Day.