After years of debate over how Washington and the private sector should cooperate on confronting cybersecurity threats, last week President Obama signed into law the Cybersecurity Act to vastly expand the flow of information on digital threats into federal agencies.
While the law signed as part of a $1.1 trillion omnibus package aims to boost the exchange of data between the private sector and the government, the information sharing act has been maligned by critics as a Patriot Act in disguise, another mechanism for government spying on citizens, and an overall detriment for cybersecurity. Before its passage, the Electronic Frontier Foundation launched a petition campaign against the measure, calling it a "privacy invasive surveillance bill that must be stopped."
While it's too early to know how the legislation previously known as the Cybersecurity Information Sharing Act, or CISA, will be put into practice, the primary thrust of the law is to give liability protection to companies that share cyberthreat information with the Department of Homeland Security (DHS), including details on data on breaches, phishing attacks, and malware downloads. The law also calls upon DHS to automate data sharing with other federal government agencies and scrub any personal information included that's not relevant to cybersecurity.
"If anything, it’s about connecting the dots," says Matthew Eggers, senior director for national security and emergency preparedness at the US Chamber of Commerce, which is part of the Protecting America’s Cyber Networks Coalition, which includes dozens of industry groups such as the American Bankers Association and the United States Telecom Association that have championed other information sharing bills in the past. "We’re trying to paint a better threat picture of the bad actors so we can get out in front of cyberattacks before they happen."
But even though critics worry that sharing information about potential cyberthreats with the government could implicate innocent people, Mr. Eggers says the Cybersecurity Act isn't creating a path for excessive sharing of personal information or additional government surveillance. "You can’t just willy-nilly share personal data," he said.
The notion of expanding cybersecurity threat sharing between the government and the private sector isn’t new: The bill that passed the Senate in October dates back to 2011, and built upon provisions drafted by Sen. Dianne Feinstein in July 2014. In the wake of the Edward Snowden revelations about pervasive National Security Agency surveillance, however, those earlier efforts failed to gain enough support to pass Congress.
In the revived CISA bill, which the Obama administration pushed for in the wake the Sony Pictures hack, lawmakers removed the NSA and the Pentagon as information sharing portals. Privacy advocates had been especially worried those agencies could use that sort of information from tech companies to widen existing surveillance practices.
Under the new Cybersecurity Act, the president can give another federal agency other than DHS the ability to provide companies legal cover in exchange cyberthreat info, as long as it isn’t the Pentagon or the NSA.
Even though supporters say privacy assurances are built into the act to prevent unnecessary sharing of personal information, many privacy advocates still aren't satisfied with the legislation. Groups such as the Center for Democracy and Technology worry that the onus on quickly sharing threats will make scrubbing private data practically impossible.
Others say that that the act's definitions of what constitutes cyberthreats are overly broad, opening the possibility that federal authorities will be scooping up data about other potential crimes that don't involve information security.
"It’s not narrowly tailored to the purposes of the bill," says Robyn Greene, legal counsel at the New America Foundation’s Open Technology Institute. "It goes far beyond cybersecurity."
Ms. Greene worries that the enacted law allows authorities to use data shared with them to prosecute other potential criminal activity, such as terrorism, espionage, and a host of other crimes that might not fall directly in the realm of cybersecurity.
Specifically, Greene says the language in the final bill gives the government a lot of leeway in terms of how they use the cyberthreat indicators, giving intelligence and law enforcement agencies more flexibility in data collection.
"There's no threshold that constitutes a threat," she said. "It could be us getting locked out of our online bank accounts, which under the law, a company could reasonably define as a cybersecurity threat and use to investigate."
Several critics of the bill have also pointed to legal liability that it provides as a problems, saying it gives companies too much cover for giving the government potentially sensitive or damaging information.
But Tom Boyd of the National Business Coalition says that protection is critical for getting companies to participate in the first place.
"Unless you have some sort of government action which justifies the sharing with relative protection, it's not going to happen," says Mr. Boyd, who serves as legal counsel for the coalition on e-commerce and privacy issues.
Apart from privacy concerns about the new legislation, other critics say that all the effort around sharing information simply distracts from putting into practice good digital habits that can mitigate the cybersecurity problem for both businesses and government agencies.
"A lot of companies need to start investing in cybersecurity as much as they do in parking lot security," says Jadzia Butler, a fellow at the Center for Democracy and Technology. "I think the more we discuss this internally, the most important thing would be to encourage cyberhygiene."