DHS warns about privacy implications of cybersecurity bill

The bill under consideration of the Senate has been criticized by privacy groups

The U.S. Department of Homeland Security has warned about the privacy implications of a cybersecurity bill that is intended to encourage businesses to share information about cyberthreats with the government.

The DHS has also warned that the information sharing system proposed by the new bill could slow down responses in the face of a cyberthreat, if companies are allowed to share information directly with various government agencies, instead of routing it through the department.

The Cybersecurity Information Sharing Act (CISA), which would give businesses immunity from customer lawsuits when they share cyberthreat data with the government, is under consideration of the Senate.

The objection to the legislation by the DHS is likely to give a boost to critics of CISA, who are concerned that the provisions of the bill could be used by companies to hand over customers' personal data to government intelligence agencies.

The authorization in CISA to share cyberthreat data "notwithstanding any other provision of law" with any federal agency could in fact sweep away key privacy protections, including provisions in the Stored Communications Act that limit the disclosure of the content of electronic communications to the government by certain providers, wrote Alejandro N. Mayorkas, deputy secretary of the DHS in a letter to Senator Al Franken.

The letter was made public on Monday by Franken, a Democrat from Minnesota, who is opposed to the legislation.

The privacy concerns of the DHS are increased by what it describes as "the expansive definitions of cyber threat indicators and defensive measures in the bill."

Mayorkas contrasts the provisions of the bill to the cybersecurity information sharing proposal outlined by President Barack Obama in January, which called for the sharing of all cyberthreat information through the National Cybersecurity and Communications Integration Center (NCCIC), a non-law enforcement, non-intelligence center focused on network defense activities.

The DHS runs the NCCIC, which has representatives of both government agencies and the private sector involved in information sharing. "Permitting sharing directly with law enforcement and intelligence entities will be of significant concern to the privacy and civil liberties communities," Mayorkas wrote.

A provision in the bill to permit companies to mark information provided to the federal government as "proprietary" could also be too restrictive, and might be read to limit DHS's ability to share this information with other non-federal entities, according to the Mayorkas. The protections "may deprive numerous private sector entities of a valuable source of cyber threat information helpful for network defense activities," he wrote.

The distribution of cyberthreat information among multiple agencies, instead of providing it initially to one agency, will also "limit the ability of DHS to connect the dots and proactively recognize emerging risks and help private and public organizations implement effective mitigations to reduce the likelihood of damaging incidents," Mayorkas added.

The DHS letter makes it clear that if the Senate moves forward with CISA, "we are at risk of sweeping away important privacy protections and civil liberties, and we would actually increase the difficulty and complexity of information sharing, undermining our nation's cybersecurity objectives," said Franken who is the top Democratic senator on the Judiciary Subcommittee on Privacy, Technology, and the Law.

John Ribeiro covers outsourcing and general technology breaking news from India for The IDG News Service. Follow John on Twitter at @Johnribeiro. John's e-mail address is john_ribeiro@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. SenatesecurityU.S. Department of Homeland Securitylegislationgovernmentprivacy

More about IDGNewsTechnologyTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Ribeiro

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts