The US House of Representatives this week passed two bills designed to encourage businesses to share more information on cyber threats with each other and the government, but which rights groups have criticized as “surveillance bills in disguise.”
The legislation in question is the House Permanent Select Committee on Intelligence's Protecting Cyber Networks Act (PCNA), and the House Homeland Security Committee's National Cybersecurity Protection Advancement Act (NCPAA) – both of which will be combined into one bill and sent to the Senate.
Proponents of the bills, backed by the Obama administration, argue they are long overdue in providing firms that want to voluntarily share threat information with legal protection from customer lawsuits if they do so.
More info-sharing – both between businesses, and between private industry and law enforcement – would help organizations better prepare for impending attacks and improve incident response times, the argument goes.
But the Electronic Frontier Foundation argued that information sharing is not a silver bullet, and claimed the proposed pieces of legislation are “surveillance bills in disguise.”
“Like other bills we’ve opposed during the last five years, they authorize more private sector spying under new legal immunity provisions and use vague definitions that aren’t carefully limited to protect privacy,” it added in a blog post.
“The bills further facilitate companies’ sharing even more of our personal information with the NSA and some even allow companies to ‘hack back’ against potentially innocent users.”
The rights group claimed that organizations already have the facility to share information on threats via Information Sharing and Analysis Centers (ISACs), as well as “public reports, private communications, and the DHS's Enhanced Cybersecurity Services.”
Robyn Greene, policy counsel at the non-profit Open Technology Institute, said that while the OTI opposes both bills, the NCPAA is “superior” to the PCNA because it forbids law enforcement from using any information received to investigate crimes outside of cybersecurity.
“This limitation is critically important to ensuring that this cybersecurity bill doesn’t become a backdoor for general-purpose cyber-surveillance,” she wrote in a blog post.
“The NCPAA is also an upgrade over the PCNA because it effectively cements civilian control over domestic cybersecurity. It does not include a requirement that DHS automatically disseminate all of the information it receives to the National Security Agency (NSA).”
The OTI is one of 55 rights groups which signed an open letter voicing strong opposition to the PCNA.
Their issue is that the PCNA would allow companies to share too broad a range of information with law enforcement; would allow the government to use that info to investigate a vast array of crimes; and would require the government to automatically share any info with the NSA.
“Neither bill is perfect. They both take the over-broad approach of authorizing information sharing ‘notwithstanding any other provision of law.’ They could also harm privacy by authorizing companies to engage in blanket monitoring of their users’ activities, so long as it is for cybersecurity purposes,” Greene explained.
“Finally, both authorize companies to deploy defensive measures, previously referred to as counter-measures, which would otherwise be illegal under current anti-hacking statutes like the Computer Fraud and Abuse Act. These measures could harm innocent third parties and may actually undermine internet security rather than enhance it.”
In fact, even the government itself has highlighted this last point as a potential area of concern.
The White House Office of Management and Budget said this week that the use of defensive measures without the correct safeguards “raises significant legal, policy, and diplomatic concerns and can have a direct deleterious impact on information systems and undermine cybersecurity.”
It added:
“Moreover, as drafted, these provisions may prevent the application of other laws such as the Computer Fraud and Abuse Act and State common law tort remedies.”