And now for an update in the continuing saga of the Cybersecurity Information Sharing Act (CISA), a controversial piece of legislation currently in the Senate that, to some, represents an important tool to bolster the sharing of threat data between the government and private entities, and to others is a privacy-wrecking mess.
Senator Al Franken released a letter today, sent in response to a set of questions from his office, written by Alejandro Mayorkas, the Deputy Secretary of the United States Department of Homeland Security (DHS). In the letter, aside from details on how the government currently handles the dissemination of threat data, Mayorkas argues that CISA contains significant privacy concerns.
The following two paragraphs come from the letter (bolding TechCrunch):
While the Cybersecurity Information Sharing Act seeks to incentivize non-federal sharing through a DHS portal, the bill’s authorization to share with any federal agency “notwithstanding any other provision law” undermines that policy goal, and will increase the complexity and difficulty of a new information sharing program. […]
The authorization to share cyber threat indicators and defensive measures with “any other entity or the Federal Government,” “notwithstanding any other provision of law” could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers.
It’s worth noting here that a number of technology firms and privacy groups have spoken up this summer in opposition to the bill.
The DHS, in its letter, doesn’t merely knock CISA for incomplete — at best — privacy guard rails, but also that the idea of sharing “cyber threat indicators […] among multiple agencies,” instead of through “one entity” will lead to more “complexity” and “inefficiency” for both the public and private sectors. That’s to say that if you fire all the data into every corner, it tends to pile up and bury the stuff you might have needed.
The Senator dished in a comment following his receipt of the DHS’s response:
The Department of Homeland Security’s letter makes it overwhelmingly clear that, if the Senate moves forward with this cybersecurity information-sharing bill, we are at risk of sweeping away important privacy protections and civil liberties, and we would actually increase the difficulty and complexity of information sharing, undermining our nation’s cybersecurity objectives.
It isn’t clear if there is enough time in the Senate’s calendar to actually pass the damn thing. As the National Journal recently reported, “precious little time to get skeptical senators on board for a major overhaul of the nation’s cybersecurity laws—the final item on Majority Leader Mitch McConnell’s pre-recess checklist.”
The House, to its own credit, passed a different cybersecurity bill, called The Protection Cyber Networks Act. That bill, as TechCrunch previously reported, “requires two scrubs of personal information from the shared threat information, one by private sector companies and one by the government.” It was also noted at the time that the bill does not allow for direct sharing of information with the NSA.
The irony there is for you to enjoy, and not me to highlight. Still, small victories are still victories.