Congress is set to act on cybersecurity legislation that has been making its way through committees in both chambers for several years. The House is set to vote on these bills during the week of April 23, dubbed "Cybersecurity Week." The Senate will take action soon after.
A lot of important work has gone into these bills that are intended to strengthen both the government and civilian response to cyber threats. Yet parts of these bills are alarming because, if passed, any information we put online—work, play, personal and sensitive—could be put at risk.
Thoughtful policy can help harden critical infrastructure targets—such as the electric grid, nuclear power plants, and communication networks—against unauthorized intrusions, making the Internet a safer place for all. But if Congress does not step up to make important changes in these bills, we may face an epic loss of our civil liberties.
The signals right now are not good. The House is expected to kick off Cybersecurity week by taking up HR 3523, a bill sponsored by Reps. Mike Rogers (R-Mich.) and C.A. Dutch Ruppersberger (D-Md.).
The House Intelligence Committee approved the bill in a secret session held one day after the bill was introduced and without a single public hearing on the legislation. A bill more sensitive to civil liberties, sponsored by Rep. Dan Lungren (D-Calif.) (HR 3674, or "the Lungren bill") has moved at a more deliberate pace and in open sessions. That bill is slated for full Committee consideration the week of April 16. It will be up to House leadership to reconcile those bills with each other.
For civil libertarians, the most important part of all the cyber bills is buried in the language describing "enhanced information sharing" of cybersecurity threats between private companies and the government. To date, shortcomings in current law and excessive government secrecy have stymied appropriate sharing of carefully defined threat information among industry players and between industry and the government. But in the Rogers bill, information sharing provisions allow for "too much information" sharing, threatening to transform needed reform into a shadow surveillance network.
Here's how. The Rogers bill creates a sweeping "cybersecurity exception" to every single federal and state law, including key privacy laws---the Electronic Communications Privacy Act, the Wiretap Act, the Privacy Act—allowing private companies holding our private communications to share them with each, with the National Security Agency (NSA), and with other intelligence and defense agencies, and all other agencies of the federal government.
Unlike the Lungren bill, Rogers makes no effort to list the specific categories of cyber threat indicators that may be shared, instead offering a very broad, almost unlimited definition of the information that can be shared with government agencies. It allows companies to share any information "pertaining to the protection of" a system or network. Since any digital communication may contain an attack and since ISPs and other communications providers routinely scan all their traffic to protect their networks, this appears to allow all of that traffic to be shared with the government.
Why should companies participate in the "voluntary sharing" the Rogers bill authorizes? The quid pro quo may be irresistible: more useful cybersecurity information from the government and other companies and broad immunity from lawsuits in exchange for sharing. In contrast to the Lungren bill, there are no data restrictions to stumble over and few discernable brakes on the system. When the NSA comes calling with its Easter basket full of goodies, in the form of needed expertise and knowledge of global cyber threats, there will be powerful incentives for industry to return the favor.