Last week, the House of Representatives passed the Protecting Cyber Networks Act. According to the House’s website, the bill “enables private companies to voluntarily share cyberthreat indicators with one another and to voluntarily share these indicators with the federal government so long as it does not go through the National Security Agency or the Department of Defense, all while providing strong protections for privacy and civil liberties.”
But many are wondering whether the new bill is merely a thinly veiled attempt by the government to collect consumers’ private information for unrelated use.
The outlined purpose of the Protecting Cyber Networks Act (PCNA) is to simplify the information pipeline between the federal government and private companies. Companies will be able to turn over questionable data to the federal government without fear of legal penalty. This open communication allows the government to look into possible data weaknesses before data slips between the cracks and ends up in the hands of hackers.
But the concern is whether this more direct line of communication also exposes the public to the risk of having their private information used for purposes other than for cybersecurity. After all, once the information is out there, who is to say the government should limit its use to only national security?
That question is the subject of an open letter addressed to Congress last week, signed by 55 different civil liberties groups and posted by the New America Foundation, a nonpartisan think tank.
“The revelations of the past two years concerning the intelligence community’s abuses of surveillance authorities and the scope of its collection and use of individuals’ information demonstrates the potential for government overreach, particularly when statutory language is broad or ambiguous,” the letter reads. “PCNA also fails to provide strong privacy protections or adequate clarity about what actions can be taken, what information can be shared, and how that information may be used by the government.”
Attempts to create a cybersecurity bill have been stop-and-go over the past few years. However, with all the serious data breaches that have occurred in the past year — perhaps most notably the Sony Pictures hacking — the pressure to create some kind of legislation to combat security breaches is higher than ever.
“At some point, we need to stop just hearing about cyberattacks that steal our most valuable trade secrets and our most private information and actually do something to stop it,” Rep. Adam Schiff, D-Calif. told the House last Thursday.
But the rush to get new legislation through Congress could be sacrificing thoroughness in favor of a hole-patch fix. In an article for Forbes, contributor Leo King points out the danger of moving too quickly to pass a cyber security bill.
“The US House of Representatives’ approval of … the Protecting Cyber Networks Act has simply served to highlight how far cyber security legislation remains from doing what it needs. The chaotic rush to get it through poses a high risk of derailing any sensible measures,” King wrote. “Citizens’ serious data privacy concerns must be addressed by legislators, as must … the continuing need to prevent serious cyber attacks on business and infrastructure by criminals and rogue states. The problem is how on Earth to address those two needs fairly and effectively at the same time, and that battle is taking place now.”
The House defended the privilege to access information per the bill’s specifications, saying it “only permits the sharing of such information for cybersecurity purposes.” Furthermore, the specifications of the bill bar the government from requiring companies to provide information, as well as requiring participating companies to remove personal information before reporting it to the government.
But it is difficult to determine exactly what constitutes personal information and what constitutes a legitimate reason to use it.
The Center for Democracy and Technology, a D.C.-based nonprofit focused on promoting a free Internet, wrote on its website that stipulations in PCNA are not enough to protect users’ information from being used for non-cybersecurity purposes.
“The [PCNA] bill permits cyberthreat indicators shared by the private sector with the federal government to be re-purposed to investigate crimes that have nothing to do with cybersecurity, thus turning the cybersecurity program the bill creates into a surveillance program,” the website reads.
The Obama administration is in support of the bill, although the White House released a statement requesting more specific stipulations on data use.
There is also the question of how effective the new bill will be at preventing security breaches. The Hill recently reported that 65 security experts penned a letter to Congress, urging them to reconsider the bill.
“We do not need new legal authorities to share information that helps us protect our systems from future attacks,” read the letter, which was posted to Stanford University’s website. “Generally speaking, security practitioners can and do share this information with each other and with the government while still complying with our obligations under federal privacy law.”
While the bill still has to make it through both the Senate and the president’s hands, the fact that it passed in the House is a step, whether forward or back, in taking legal action in preventing cyberattacks.
