US Senator Dianne Feinstein (D-Calif.) wrote an open letter to the LA Times this weekend in support of her proposed cybersecurity bill making its way through Congress—making the case that, even post-Snowden, the bill's privacy protections are solid.
The Cyber Information Sharing Act was passed by the Senate Intelligence Committee in July, with sponsorship from Feinstein and Saxby Chambliss (R-Ga.).
“Every week, we hear about the theft of personal information from retailers and trade secrets from innovative businesses, as well as ongoing efforts by foreign nations to hack government networks,” the committee said in a statement. “This bill is an important step toward curbing these dangerous cyber-attacks.”
In her open letter, Feinstein stressed the difference between this bill and the others that have failed before it, like CISPA, which was defeated last year under a cloud of privacy concerns.
“The legislation permitting information sharing is just the first step toward stronger cybersecurity,” she said. “Legislating is the art of the possible, and only a bill with broad bipartisan support can pass the Senate. Previous bills did not strike the balance between information sharing and privacy and therefore failed to win both Republican and Democratic support.”
She was writing in response to a Times editorial, which called on Congress to pass cybersecurity legislation sooner rather than later. But, it raised concerns over this latest effort.
“It still leaves too many openings for personal information to be shared with government agencies that don't need to see it, and that could use it for too many purposes beyond cybersecurity,” said the Times. “In fact, it requires that information shared with the government be sent automatically to the Department of Defense and, presumably, the National Security Agency, given the latter's interest in cyber-attacks. For that reason, it feels too much like a bill to deter hackers by expanding the surveillance of ordinary Internet users.
The senator called the description a mischaracterization.
“First, the legislation is purely voluntary,” Feinstein retorted. “It provides legal authorization and liability protection to companies that share cyber threat information with other companies or with the government. The editorial is wrong in suggesting the bill provides any authority for government surveillance or for the sharing of information for purposes other than cybersecurity.”
She added, “Second, the bill already includes numerous privacy protections. These include requirements that companies strip out personally identifying information before sharing, that the government destroy information it receives after a specified time and that the information sharing program is reviewed by the Privacy and Civil Liberties Oversight Board, inspectors general and many others.”
The fact that the bill seems to lack a framework for data organization and format, along with appropriate protection, worries some in the security community.
“On one hand it’s great to see a bill like this getting traction and that we are making strides towards improving information sharing,” said Brandon Hoffman, senior director, Global BD and SE at RedSeal Networks, in an emailed comment. “On the other hand, the critique of this bill is hard to ignore. There has been significant abuse in the past with personal information. To help make this bill effective it is imperative that information scrubbing or anonymizing the information without losing the pertinent details be determined.”