Amended Cybersecurity Bill Still Drawing Criticism

Although the bill's purpose is to ease communication between businesses and federal authorities, proponents of computer security say the use of vague language and broad concepts raise serious privacy concerns.

by Dawnthea Price, McClatchy News Service / July 17, 2014
Senator Mark R. Warner, who amended the Cybersecurity Information Sharing Act, called cyberattacks “a significant economic and national security threat." Flickr/National Science Foundation

Though Sen. Mark Warner amended a controversial cybersecurity bill to increase congressional oversight, proponents of privacy and computer security say it still isn’t enough to overcome broader concerns.

The Senate Select Committee on Intelligence voted 12–3 last week to forward the Cybersecurity Information Sharing Act to the full Senate for consideration.

If enacted in its current form, the 46-page bill will provide businesses a way to share information on potential cyberthreats or attacks with the federal government. The government can then use “countermeasures” that prevent, reduce or otherwise defend against an attack.

The committee has sent the bill to the overall Senate for additional discussion.

Jake Laperruque, a fellow at the nonprofit Center for Democracy and Technology, said the bill has a well-meaning purpose—making it easier for businesses to relay information to federal authorities—but contains vague language and broad concepts that raise serious privacy concerns.

He said that there are no clear limits on what information can be shared or used, and that preserving the privacy of names, IP addresses and other personal information in what gets shared is not guaranteed.

Warner’s amendment, as outlined in the bill text, requires a report from the Director of National Intelligence within the first six months of the bill’s enactment.

The report on “cyberattacks, theft, and data breaches” would include reports on relationships with nations the United States shares cyberthreat information with, analysis of countries and nonstate actors that pose cyberthreats and an assessment of the nation’s response to attacks or precursor events up to that point.

A statement from Warner called cyberattacks “a significant economic and national security threat” to the country.

“It is essential that we take meaningful steps now to defend against this threat and improve our capability to do so,” Warner said in a release.

Laperruque said the amendment, which provides a marked improvement in oversight, doesn’t hurt the bill, but is not an overly effective fix.

“There’s always value in having more congressional oversight over any type of instance which the government might be collecting or monitoring Americans’ communications,” he said. “But in terms of effectiveness, it still doesn’t address more serious substantive issues in the bill.”

Paul Logan, communications director for Republican senatorial candidate Ed Gillespie, said that their camp was still reviewing the bill’s final text.

“While we must work to prevent cyberattacks, legitimate concerns about privacy have been raised by members of both parties,” Logan said. “Ed Gillespie would ensure that any cybersecurity legislation includes strong safeguards for our civil liberties and personal privacy.”

Michael DePaepe, the executive vice president and chief operations officer of Reveille Systems, a Fredericksburg information technology and management consultation business, said the bill doesn’t safeguard personal information and is likely to do the “private entities” it aims to assist more harm than good.

“The government is going to do what it thinks is best for national security,” he said, “It’s geared more toward getting info about an attack into the intelligence community’s hands quickly.”

DePaepe, who has over 20 years of experience in computer security, said the burden for securing personal information should remain with businesses, not the federal government.

“Businesses have an inherent responsibility to customize and employ methods to protect their privacy. If not, they’re just asking for trouble,” he said.

DePaepe said that businesses should have established security protocols that limit people from gaining free access to their systems.

Whether that be through a firewall, password-protected wireless network or a hard-to-hack password would be up to the business.

“If you can put up that first layer of defense,” DePaepe said, “then your concerns on privacy as far as this act go are lessened because you’re already taking those steps.”

©2014 The Free Lance-Star (Fredericksburg, Va.)