“The goal of the bill is for companies and the government to voluntarily share information about cybersecurity threats – not personal information – in order to better defend against attacks," she said, adding that the committee had made, “more than a dozen significant changes from last year's version. The privacy provisions are substantial and I believe address many of the concerns that had been raised in regard to earlier drafts of the bill."
For anybody following the issue, this sounds like déjà vu all over again.
It was three years ago, in 2012, that a number of bills – the most prominent called the Cyber Information Sharing and Protection Act (CISPA) – were also the subject of fierce debate, over the same issues.
While initially supported by industry in general, that support began to erode when Mozilla, the nonprofit Internet search firm, came out against it. The company said CISPA, “has a broad and alarming reach that goes far beyond Internet security. The bill infringes on our privacy, includes vague definitions of cyber security, and grants immunities to companies and government that are too broad around information misuse.”
Former U.S. Rep. and Republican presidential candidate Ron Paul described it as, “Big Brother writ large, putting the resources of private industry to work for the nefarious purpose of spying on the American people.”
Opponents of CISA contend it has the same problems. The letter to Obama argued that it, “fails to protect users’ personal information. It allows vast amounts of personal data to be shared with the government, even that which is not necessary to identify or respond to a cybersecurity threat.”
The bill, as written, also authorizes government at all levels, “to use cyber threat indicators to investigate crimes that have nothing to do with cybersecurity, such as robbery, arson, and carjacking, as well as identity theft and trade secret violations,” the letter said.
All of which prompts at least two questions: Is it even possible to craft a bill that encourages threat information sharing while still protecting privacy and civil liberties? And is it worth continuing to try?
According to Tien, such legislation is not really necessary. “Over and over, we hear senators, and the White House, solemnly insist that information sharing is needed,” he said. “Yet they can’t even begin to connect failures of information sharing to the attacks and data breaches we read about, such as Target, Neiman-Marcus, OPM (federal Office of Personnel Management) or Ashley Madison.”
The problem, he said, is weak security. He cited the recent 3-0 U.S. 3rd Circuit Court of Appeals’ decision upholding the Federal Trade Commission’s (FTC) authority to sue the Wyndham hotel chain for lax security that resulted in breaches in 2008 and 2009, compromised the data of more than 600,000 customers and led to $10.6 million in fraudulent charges.
Sign up for CIO Asia eNewsletters.