April 23, 2015
This week, the House of Representatives will vote on two bills that would authorize companies to share information about cyber threats with the government and with one another. Yesterday, over the strong opposition of New America’s Open Technology Institute, along with dozens of other organizations and security experts, it passed the Intelligence Committee’s Protecting Cyber Networks Act (PCNA, H.R. 1560). Today, it will vote on the Homeland Security Committee’s National Cybersecurity Protection Advancement Act of 2015 (NCPAA, H.R. 1731). Though some serious concerns remain, and we oppose both bills, when it comes to protecting privacy, the NCPAA is superior to the PCNA.
Under the NCPAA, companies would be authorized to share so-called “cyber threat indicators” with the government. Compared to the PCNA, the NCPAA would do a better job of protecting personal information from being shared with the government by more narrowly defining the term “cyber threat indicators” and thereby more narrowly limiting the scope of information to be disclosed.
Once the government receives information under the NCPAA, it would be permitted to use it only for cybersecurity purposes. Unlike under PCNA, law enforcement agencies could not use the information to investigate crimes that have nothing to do with cybersecurity. This limitation is critically important to ensuring that this cybersecurity bill doesn’t become a backdoor for general-purpose cyber-surveillance.
The NCPAA is also an upgrade over the PCNA because it effectively cements civilian control over domestic cybersecurity. It does not include a requirement that DHS automatically disseminate all of the information it receives to the National Security Agency (NSA).
First, its definition for cyber threat indicator is broader than the definition in the NCPAA, so companies would be able to share more personal information with the government.
Even worse, the PCNA would authorize the government to use any of the information it receives to prevent, investigate, and prosecute a vast array of crimes the have nothing to do with cybersecurity. Those crimes range the gamut from terrorism to carjacking and arson to garden-variety violent crimes. These excessive use authorizations not only seriously threaten Americans’ privacy, they also make the PCNA as much a cyber-surveillance bill as it is a cybersecurity bill.
Finally, the PCNA would undermine civilian control of cybersecurity information sharing because it would require the government to automatically disseminate to the NSA every indicator companies share with it. This would vastly increase the NSA’s access to Americans’ personal information.
Neither bill is perfect. They both take the over-broad approach of authorizing information sharing “notwithstanding any other provision of law.” They could also harm privacy by authorizing companies to engage in blanket monitoring of their users’ activities, so long as it is for cybersecurity purposes. Finally, both authorize companies to deploy defensive measures, previously referred to as countermeasures, which would otherwise be illegal under current anti-hacking statutes like the Computer Fraud and Abuse Act. These measures could harm innocent third parties and may actually undermine Internet security rather than enhance it.
Those serious concerns aside, the NCPAA is still better than the PCNA when it comes to protecting Americans’ privacy and establishing effective civilian control over a new cybersecurity information sharing regime. However, we oppose both bills, as well as the other cybersecurity information sharing bills currently on the table.