Two cybersecurity bills approved this week by the U.S. House of Representatives pose a threat to citizens’ privacy, according to opponents of the measures.
Both bills, H.R. 1560 and H.R. 1731, aim to improve sharing of cybersecurity information between businesses and government agencies.
“‘Information sharing’ is a misnomer,” said Gabriel Rottman, legislative counsel for the American Civil Liberties Union.
“Really, what we’re talking about is creating new exceptions to existing privacy law,” he told the E-Commerce Times.
While the bills deal with a similar subject, each has its own spin on how information should be shared.
H.R. 1560, the Protecting Cyber Networks Act, which passed the House Wednesday with a vote of 307-116, gives the Director of National Intelligence the power to create procedures for sharing information between the federal government and non-government entities.
H.R. 1731, the National Cybersecurity Protection Advancement Act, which cleared the House Thursday with a vote of 355-63, gives that power to the National Cybersecurity and Communications Integration Center in the U.S. Department of Homeland Security.
The extent that the bills undermine privacy differs, too, noted Rottman.
“The House Intelligence bill [H.R. 1560] is particularly bad in that it doesn’t do enough to strip private information out before it goes to the government,” he said. “Once it goes to the government, it’s shared automatically with the military, intelligence agencies and the National Security Agency,” he explained.
“Once it’s there, it can be used for purposes far afield from cybersecurity,” continued Rottman, “including investigating and prosecuting violations of the Espionage Act, which has been used by the Obama administration to prosecute more national security whistle-blowers than all other presidencies combined.”
There is at least one element both measures share in common.
“All these bills have an exemption to FOIA [Freedom of Information Act],” said Jeramie D. Scott, national security counsel for the Electronic Privacy Information Center.
“The president and Congress have been looking to have something in the cybersecurity realm for a long time. It’s unfortunate that the bills they’re considering are not the type of measures that would have the biggest impact in improving cybersecurity,” he told the E-Commerce Times.
“They ought to be focusing on improving better cybersecurity hygiene instead of focusing on allowing the private sector to disclose personal information to the government,” added Scott.
While the purpose of the bills — to allow companies to share information about cyberthreats — is laudable, Congress’s approach may be overkill.
“Companies can be allowed to share information in a narrow manner by carving out small exceptions in existing law,” said Jake Laperruque, a privacy, surveillance, and security fellow at the Center for Democracy & Technology.
“These bills take the hatchet rather the scalpel approach,” he told the E-Commerce Times. “They say that notwithstanding any law, you can share information for cybersecurity purposes.”
Supporters of the measures praised Congress for its actions.
“We commend the House on passage of two complementary cybersecurity bills that remove barriers to real-time sharing of cyberthreat indicators to improve our cyberdefenses,” said Michael Powell, president and CEO of the NCTA, which represents cable TV providers.
“Every day, cyberattacks threaten our nation’s economy, security and consumers,” he added. “With this growing threat, we are pleased to see congressional action that will facilitate more effective information sharing, while at the same time protecting Americans’ privacy and civil liberties.”
Something Better Than Nothing
While the bills passed by the House this week may be imperfect, they represent an important step for cybersecurity, asserted Ben Fitzgerald, director of the technology and national security program at the Center for a New American Security.
“The important thing is that Congress has actually acted on something,” he told the E-Commerce Times.
“Rather than get a perfect bill out, Congress needs to get in the habit of passing legislation on this issue and updating it frequently as everyone learns more about this problem,” Fitzgerald suggested.
“I don’t think the bills are that bad,” he added. “We should have some concerns, but the risks of not passing the bills are worse than those of passing them. Without them, we won’t have mechanisms for the private sector to share threat information with the government so we can have collaborative responses to cyberthreats.”
Both bills are headed for the Senate, which has its own bill on sharing cyberinformation. Differences between the branches will have to be hammered out.