The proposed Cybersecurity Information Sharing Act (“CISA”) has supporters and opponents on both sides of the political aisle. However, in a new wrinkle, the Department of Homeland Security (“DHS”), an agency not generally concerned with privacy protection, has come out against the proposed legislation as written. In a letter to Minnesota democrat Senator Al Franken, the DHS has outlined its perceived problems with the CISA, stating that the bill is riddled with flaws and “could sweep away important privacy protections.”
One of the main points of contention that the DHS has with the CISA is the proposed means of private companies communicating customers’ private data to several, various government agencies. While the DHS presumably does not have an issue with customers handing over such data, it does have a serious problem with companies handing it over to other agencies rather than delivering it directly to the DHS.
As it stands now, the DHS is responsible for obtaining, handling and then distributing this type of information. Alejandro N. Mayorkas, deputy secretary of the DHS, stated in his letter to Franken that distributing cyberthreat information to multiple agencies instead of initially providing it to the DHS will “limit the ability of DHS to connect the dots and proactively recognize emerging risks and help private and public organizations implement effective mitigations to reduce the likelihood of damaging incidents.” He further stated that information sharing directly to various agencies would mean that the “inefficiency of any information sharing program will markedly increase; developing a single, comprehensive picture of the range of cyber threats faced daily will become more difficult.”
Another issue that the DHS has with the proposed legislation involves restrictions in sharing the collected private information. Specifically, there is a provision in the bill that would permit companies to label information provided to the government as “proprietary.” This restrictive label could be read to limit the DHS’s ability to disseminate the information to other non-federal entities such as state and local law enforcement.
Privacy advocates and some technology firms believe CISA, as currently drafted, will make it easier for the federal government to obtain both corporate and personal information that has very little to do with cybersecurity. In response to these concerns, Republican Senator Richard Burr and Democrat Senator Dianne Feinstein proposed on Monday a bundle of changes that would put express limits on the bill, including the prevention of the government from using the information provided from companies to prosecute felonies among other things. Feinstein stated that, “It takes out any subsidiary use of the data- it means you can’t use it for violent crime or anything else. You can only use it strictly for cybersecurity purposes.” Burr pointed out that information sharing by companies is voluntary, a very important point for many companies hesitant to participate.
As many senators wish to debate the CISA, there is little time to do so as the summer recess begins later this week. Once Congress resumes their duties in September, several other, more immediate issues will be on its agenda, including government funding legislation and the Iran nuclear deal. It is likely that discussion and voting on the CISA will get pushed back.