Congress moves forward on cyberthreat sharing bill despite privacy concerns

The House may vote this week on a bill that would allow shared cybertheat information to be passed to the NSA and law enforcement agencies

The U.S. House of Representatives may vote on a controversial cyberthreat information sharing bill this week, despite major privacy concerns from many digital rights groups and security researchers.

The Protecting Cyber Networks Act "seriously threatens privacy and civil liberties, and would undermine cybersecurity, rather than enhance it," said a letter sent this week by 55 digital and civil liberties groups, security researchers and academics.

The PCNA, one of two cybersecurity bills that the House may vote on this week, would come to the House floor about a month after it was introduced, an unusually fast process for legislation. Without holding any public hearings on the bill, the House of Representatives Intelligence Committee voted to approve the bill in late March, just two days after it was introduced.

The bill would protect from consumer lawsuits those companies that share cyberthreat information with each other or with government agencies. Proponents of the cyberthreat information-sharing bills, including many tech companies, argue that more sharing of cyberthreat information can help businesses better respond to attacks, but victims of cyberattacks need assurances that information sharing won't lead to legal problems.

But the bill would also authorize companies to expand their monitoring of users' or customers' online activities and permit them to share "vaguely defined" cyberthreat indicators, said the letter from bill opponents, including the American Civil Liberties Union, Free Press, the Electronic Frontier Foundation and the New America Foundation's Open Technology Institute.

The PCNA would also require federal agencies to share all cyberthreat indicators they receive with the U.S. National Security Agency and any other agencies, and would allow law enforcement agencies to use the shared information for several crimes and activities that "have nothing to do with cybersecurity," the letter said.

The bill would also allow companies to deploy "invasive countermeasures, euphemistically called defensive measures," the letter said. Those defensive measures could harm innocent people not involved in cyberattacks and could undermine cybersecurity, the groups said.

While the digital rights and civil liberties groups oppose the bill, three telecom industry trade groups wrote Congress in support of it. The PCNA, along with another cyberthreat information sharing bill being considered by the House, "would provide critically important authorizations for real-time sharing" among private companies and between private companies and the government, said the letter, from CTIA, the National Cable and Telecommunications Association and the United States Telecom Association.

The bills will resolve "legal uncertainties" that prevent companies from sharing cyberthreat information quickly, the groups said.

The House Intelligence Committee has defended the PCNA, disputing allegations that it's a surveillance bill as much as a cybersecurity bill.

The bill does not require companies to share information, only allows voluntary sharing, the committee said in a fact sheet about the PCNA.

"The bill has nothing to do with government surveillance; rather, it provides narrow authority for the government and the private sector to share anonymous cyber threat information," according to the fact sheet. "The bill expressly does not give authority to companies to send information directly to the NSA or the military."

A second cyberthreat sharing bill that may come to the House floor has fewer privacy concerns attached to it. In addition to the PCNA, the House may also vote on the National Cybersecurity Protection Advancement Act this week.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags New America Foundationfree pressNational Cable and Telecommunications AssociationU.S. National Security AgencylegislationprivacyElectronic Frontier FoundationAmerican Civil Liberties UnionUnited States Telecom AssociationsecurityU.S. House of RepresentativesctiaDesktop securityencryptiongovernmentdata protection

More about CTIAElectronic Frontier FoundationHouse of RepresentativesIDGNational Security AgencyNewsNSATechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place