CybersecuritySenate panel passes revised cybersecurity bill, but privacy concerns remain

Last Thursday, the Senate Intelligence Committee passed the Cybersecurity Information Sharing Act (CISA) meant to encourage the private sector to share data with federal agencies, with the hopes of preventing and responding to cyberthreats before they materialized. The bill is a reincarnation of the 2013 Cyber Intelligence Sharing and Protection Act (CISPA), which drew a veto threat from President Barack Obama because of privacy concerns.

Critics say that CISA, as was the case with its predecessor, would create a legal framework for companies to more closely monitor internet users and share that data with government agencies.

The American Civil Liberties Union (ACLU) has called CISA a privacy-shredding bill in cybersecurity clothing, adding that the bill is more of a surveillance act. “Instead of focusing on ways to make our data (and the devices we store it on) more secure, Washington keeps offering up ‘cybersecurity’ proposals that would poke huge holes in privacy protections and potentially funnel tons of personal information to the government, including the NSA and the military,” wroteRachel Nusbaum, media strategist with the ACLU Washington Legislative Office.

The Open Technology Institute described the bill as “cyber surveillance, not cybersecurity.”

International Business Times reports that the Senate Intelligence Committee voted 14-1 to advance the bill, with Senator Ron Wyden (D-Oregon) voting against the proposal. According to Wyden, if CISA does not include “adequate privacy protections then that’s not a cybersecurity bill — it’s a surveillance bill by another name,” he wrote. “It makes sense to encourage private firms to share information about cybersecurity threats. But this information sharing is only acceptable if there are strong protections for the privacy rights of law-abiding American citizens.”

Senate Intelligence Committee chairman Richard Burr (R-North Carolina) told Bloomberg TV following the vote that amendments were made to the bill to prevent users’ information from being shared with government agencies. “We don’t want them to send personal data to the federal government, unless it’s absolutely crucial to show the cyberattack. So we bar them from providing that data to the federal government,” Burr said. “If it finds its way to the federal government, though, once we distribute it in real time and we realize there’s personal information, any company that discovers it has to remove it or minimize it in a way that it can’t be shared anywhere else.”

It is not clear when the bill will be presented for a full vote in the Senate, but ever since the Sony Pictures hacks last year, information sharing between the private and public sector has become a top priority for Congress and the White House. The Obama administration has issued its own guidelines for an information sharing bill that would funnel private sector information through DHS rather than intelligence agencies. Senator Dianne Feinstein (D-California) said twelve amendments from Democrats have made it into the final CISA bill, adding that one of them will require private sector information be filtered through DHS. The White House is likely to support the bill, Feinstein said. “I talked to the president’s chief of staff (Denis McDonough) yesterday,” Feinstein said last week, according to theHill. “I think he believes that a number of improvements have been made in the bill.”

— Read more in Version 2.0 of the Senate Intelligence Committee’s Cyber Information Sharing Act Is Cyber-Surveillance, Not Cybersecurity (Open Technology Institute, 26 February 2015)