CybersecurityPatriot Act’s reauthorization an obstacle for cyber information sharing bill

Published 28 January 2015

Recent cyber hacking incidents have persuaded lawmakers to pass a cyber information sharing bill which will help protect U.S. private sector networks. Business groups and federal intelligence agencies insist that information exchange is critical to protecting the nation’s cyber infrastructure. One of the hurdles to passing such a bill is that by 1 June, Congress must reauthorize sections of the Patriot Act which are the basis for the NSA’s most controversial surveillance programs. Many lawmakers consider NSA reform to be essential before they can support the White House’s cybersecurity proposal, which would allow cyber information sharing between the public and private sector.

Recent cyber hacking incidents, including attacks on Sony Pictures, Target, Home Depot, and JPMorgan Chase have persuaded lawmakers to pass a cyber information sharing bill which will help protect U.S. private sector networks. Business groups and federal intelligence agencies insist that information exchange is critical to protecting the nation’s cyber infrastructure.

One of the hurdles to passing such a bill is that by 1 June, Congress must reauthorize sections of the Patriot Act which are the basis for the NSA’s most controversial surveillance programs. Many lawmakers consider NSA reform to be essential before they can support the White House’s cybersecurity proposal, which would allow cyber information sharing between the public and private sector.

I think whenever you talk about cyber information sharing, you’re going to have to address the NSA issue, or, more properly, the privacy issue,” said Alex Manning, who was staff director of the House Homeland Security Subcommittee on Cybersecurity last Congress.

The Hill reports that under President Barack Obama’s proposal, DHS would be at the center of cyber information sharing between the nation’s private sector and the government agencies that would respond to cyber threats. These companies would be granted protection from lawsuits targeting data sharing with federal agencies and other businesses. To gain that protection, companies must remove “unnecessary personal information” from shared data. Civil liberties groups still believe that some personal information will be shared with the federal government, which could later be used in law enforcement investigations that have nothing to do with the cyberattacks.

The Obama administration hopes DHS’s involvement would curb previous concerns about the NSA’s domestic surveillance activities. “I think the politics are you don’t want NSA doing a domestic security role, or if they do it has to be very limited,” said Jim Lewis, a cyberwarfare expert at the Center for Strategic and International Studies (CSIS). “And cybersecurity would be very much like domestic surveillance.”

Privacy advocates agree that putting DHS at the center of any cyber information sharing bill is a step in the right direction, but they want measures put in place that would protect private sector customer information from reaching the NSA. “Instead of calling on Congress to pass information sharing legislation, the president should again call for the passage of effective surveillance reform,” said Robyn Greene, policy counsel for the Open Technology Institute.

Lewis believes a final cyber information sharing bill will include three measures: legal protections for companies sharing information with the federal government; a definition of what constitutes “cybersecurity information;” and limitations on how the government can access and use that information.

Later today, the Senate Homeland Security and Governmental Affairs Committee will hold a hearing on the cyber information sharing bill Obama alluded to in his State of the Union speech. “The president’s proposal is an important first step in developing that legislation,” said committee chairman Senator Ron Johnson (R-Wisconsin).