A coalition of 30 companies and privacy groups, including Reddit and search engine DuckDuckGo, on Tuesday demanded that President Barack Obama promise to reject a controversial cybersecurity bill. The bill has come under fire for its loose limits on sharing information about cyber threats without properly filtering personal information from it among government agencies, including the National Security Agency (NSA).
The controversial bill, the Cybersecurity Information Act (CISA), was marked up and passed in a closed Senate Intelligence Committee session on July 8, and it is expected to see a full Senate vote some time this year. The bill would encourage companies to share information about cyber threats with each other and with the federal government, but the letter from the coalition to the president said the bill failed to “provide a comprehensive solution” to cyber threats because it, among other complaints, only addresses information sharing.
The bill sets few limits on how the government implements and shares the data once it receives it. If CISA becomes law, the data could be used for prosecution of a wide range of crimes not directly related to cybersecurity, including violations of the Espionage Act. In the letter, the privacy groups and tech companies stressed that the government could abuse this information to go after whistleblowers and journalists.
The letters lays out a detailed list of reforms that a more “comprehensive” bill would include, such as an incentive process to encourage companies to remove vulnerabilities more quickly. The coalition raises questions about the current transparency requirements for the government, calling the exemption the bill gives for information from Freedom of Information Act requests too broad. The letter also says the NSA or any military agency should not be allowed to have a central role in civilian cybersecurity practices.
As Alex Wilhelm and I noted in our original coverage of the bill, CISA is currently a “toxic mix” that has few provisions in place to make sure that personally identifying information is taken out of threat information that companies decide to share with the government.
Obama threatened to veto legislation similar to CISA, the Cybersecurity Intelligence Sharing and Protection Act, better known as CISPA, when it passed through the House in spring 2013. In the wake of revelations in June that year by former NSA contractor Edward Snowden, the president has even more of an incentive to reject this legislation now, as concerns about privacy and the overreaching power of the nation’s intelligence apparatus have grown.
The Hill reports the bill’s supporters are pushing for the bill to reach the floor next month. High-profile data breaches like the Target credit card case have shown cybersecurity is an area where reform is needed, but simply making it easier to allow companies to share threat information won’t go far enough. The coalition is right to hold out for a more comprehensive reform with fewer privacy implications.