Congress moves forward on cyberthreat sharing bill despite privacy concerns
The U.S. House of Representatives may vote on a controversial cyberthreat information sharing bill this week, despite major privacy concerns from many digital rights groups and security researchers.
The Protecting Cyber Networks Act “seriously threatens privacy and civil liberties, and would undermine cybersecurity, rather than enhance it,” said a letter sent this week by 55 digital and civil liberties groups, security researchers and academics.
The PCNA, one of two cybersecurity bills that the House may vote on this week, would come to the House floor about a month after it was introduced, an unusually fast process for legislation. Without holding any public hearings on the bill, the House of Representatives Intelligence Committee voted to approve the bill in late March, just two days after it was introduced.
The bill would protect from consumer lawsuits those companies that share cyberthreat information with each other or with government agencies. Proponents of the cyberthreat information-sharing bills, including many tech companies, argue that more sharing of cyberthreat information can help businesses better respond to attacks, but victims of cyberattacks need assurances that information sharing won’t lead to legal problems.
But the bill would also authorize companies to expand their monitoring of users’ or customers’ online activities and permit them to share “vaguely defined” cyberthreat indicators, said the letter from bill opponents, including the American Civil Liberties Union, Free Press, the Electronic Frontier Foundation and the New America Foundation’s Open Technology Institute.
The PCNA would also require federal agencies to share all cyberthreat indicators they receive with the U.S. National Security Agency and any other agencies, and would allow law enforcement agencies to use the shared information for several crimes and activities that “have nothing to do with cybersecurity,” the letter said.
The bill would also allow companies to deploy “invasive countermeasures, euphemistically called defensive measures,” the letter said. Those defensive measures could harm innocent people not involved in cyberattacks and could undermine cybersecurity, the groups said.
While the digital rights and civil liberties groups oppose the bill, three telecom industry trade groups wrote Congress in support of it. The PCNA, along with another cyberthreat information sharing bill being considered by the House, “would provide critically important authorizations for real-time sharing” among private companies and between private companies and the government, said the letter, from CTIA, the National Cable and Telecommunications Association and the United States Telecom Association.
The bills will resolve “legal uncertainties” that prevent companies from sharing cyberthreat information quickly, the groups said.
The House Intelligence Committee has defended the PCNA, disputing allegations that it’s a surveillance bill as much as a cybersecurity bill.
The bill does not require companies to share information, only allows voluntary sharing, the committee said in a fact sheet about the PCNA.
“The bill has nothing to do with government surveillance; rather, it provides narrow authority for the government and the private sector to share anonymous cyber threat information,” according to the fact sheet. “The bill expressly does not give authority to companies to send information directly to the NSA or the military.”
A second cyberthreat sharing bill that may come to the House floor has fewer privacy concerns attached to it. In addition to the PCNA, the House may also vote on the National Cybersecurity Protection Advancement Act this week.