The U.S. Department of Homeland Security has warned about the privacy implications of a cybersecurity bill that is intended to encourage businesses to share information about cyberthreats with the government.
The DHS has also warned that the information sharing system proposed by the new bill could slow down responses in the face of a cyberthreat, if companies are allowed to share information directly with various government agencies, instead of routing it through the department.
The Cybersecurity Information Sharing Act (CISA), which would give businesses immunity from customer lawsuits when they share cyberthreat data with the government, is under consideration of the Senate.
The objection to the legislation by the DHS is likely to give a boost to critics of CISA, who are concerned that the provisions of the bill could be used by companies to hand over customers' personal data to government intelligence agencies.
The authorization in CISA to share cyberthreat data "notwithstanding any other provision of law" with any federal agency could in fact sweep away key privacy protections, including provisions in the Stored Communications Act that limit the disclosure of the content of electronic communications to the government by certain providers, wrote Alejandro N. Mayorkas, deputy secretary of the DHS in a letter to Senator Al Franken.
The letter was made public on Monday by Franken, a Democrat from Minnesota, who is opposed to the legislation.
The privacy concerns of the DHS are increased by what it describes as "the expansive definitions of cyber threat indicators and defensive measures in the bill."
Mayorkas contrasts the provisions of the bill to the cybersecurity information sharing proposal outlined by President Barack Obama in January, which called for the sharing of all cyberthreat information through the National Cybersecurity and Communications Integration Center (NCCIC), a non-law enforcement, non-intelligence center focused on network defense activities.
The DHS runs the NCCIC, which has representatives of both government agencies and the private sector involved in information sharing. "Permitting sharing directly with law enforcement and intelligence entities will be of significant concern to the privacy and civil liberties communities," Mayorkas wrote.
A provision in the bill to permit companies to mark information provided to the federal government as "proprietary" could also be too restrictive, and might be read to limit DHS's ability to share this information with other non-federal entities, according to the Mayorkas. The protections "may deprive numerous private sector entities of a valuable source of cyber threat information helpful for network defense activities," he wrote.
The distribution of cyberthreat information among multiple agencies, instead of providing it initially to one agency, will also "limit the ability of DHS to connect the dots and proactively recognize emerging risks and help private and public organizations implement effective mitigations to reduce the likelihood of damaging incidents," Mayorkas added.
Sign up for Computerworld eNewsletters.