A Zombie Bill Comes Back to Life: A Look at The Senate's Cybersecurity Information Sharing Act of 2014 | Electronic Frontier Foundation - 0 views
-
The Senate Intelligence Committee recently introduced the Cybersecurity Information Sharing Act of 2014. It’s the fourth time in four years that Congress has tried to pass "Cybersecurity" legislation. Unfortunately, the newest Senate bill is one of the worst yet. Cybersecurity bills aim to facilitate information sharing between companies and the government, but they always seem to come with broad immunity clauses for companies, vague definitions, and aggressive spying powers. Given such calculated violence to users' privacy rights, it’s no surprise that these bills fail every year. What is a surprise is that the bills keep coming back from the dead. Last year, President Obama signed Executive Order 13636 (EO 13636) directing the Department of Homeland Security (DHS) to expand current information sharing programs that are far more privacy protective than anything seen in recent Cybersecurity bills. Despite this, members of Congress like Rep. Mike Rogers and Senator Dianne Feinstein keep on introducing bills that would destroy these privacy protections and grant new spying powers to companies.
-
Aside from its redundancy, the Senate's bill grants two new authorities to companies. First, the bill authorizes companies to launch countermeasures for a "cybersecurity purpose" against a "cybersecurity threat." "cybersecurity purpose" is so broadly defined that it means almost anything related to protecting (including physically protecting) an information system, which can be a computer or software. The same goes for a "cybersecurity threat," which includes anything that "may result" in an unauthorized effort to impact the availability of the information system. Combined, the two definitions could be read by companies to permit attacks on machines that unwittingly contribute to network congestion. The countermeasures clause will increasingly militarize the Internet—a prospect that may appeal to some "active defense" (aka offensive) cybersecurity companies, but does not favor the everyday user. Second, the bill adds a new authority for companies to monitor information systems to protect an entity's rights or property. Here again, the broad definitions could be used in conjunction with the monitoring clause to spy on users engaged in potentially innocuous activity. Once collected, companies can then share the information, which is also called “cyber threat indicators,” freely with government agencies like the NSA.
-
Such sharing will occur because under this bill, DHS would no longer be the lead agency making decisions about the cybersecurity information received, retained, or shared to companies or within the government. Its new role in the bill mandates DHS send information to agencies like the NSA—"in real-time and simultaneous[ly]." DHS is even barred from "delay[ing]" or "interfer[ing]" with the information, which ensures that DHS's current privacy protections won’t be applied to the information. The provision is ripe for improper and over-expansive information sharing. This leads to a question: What stops your sensitive personal information from being shared by companies to the government? Almost nothing. Companies must only remove personally identifiable information if the information is known to be US person information and not directly related to the threat. Such a willful blindness approach is inappropriate. Further, the bill does not even impose this weak minimization requirement on information shared by, and within, the government (including federal, state, local, and tribal governments) thereby allowing the government to share information containing personally identifiable information. The bill should require deletion of all information not directly related to a threat.
- ...2 more annotations...