And under Rogers, once your personal information is in the hands of the government, all bets are off. It can be used for any national security purpose, including to track patterns of communications to decide whether to seek authorization to wiretap you. In can be used to prosecute you for any crime, provided an intelligence agency also finds at least a significant national security or cyber security purpose for the information. Lungren by contrast limits sharing to cybersecurity purposes including related law enforcement.
While the bill does not specify which agencies ISP's could disclose customer data to, the structure and incentives in the bill raise a very real possibility that the NSA or the DOD's Cybercommand would be the primary recipient. In Washington, D.C., information is power and if the NSA receives the cybersecurity information from the private sector, it may well take the lead role on cybersecurity efforts for the private sector away from civilian control at the Department of Homeland Security.
The NSA has been lobbying for a bigger role in the cybersecurity operations of private networks for some time, including more access to private communications.. While the Administration has so far rightly resisted the demands of the intelligence agency to take command and control of cybersecurity , the Rogers bill leaves the question of which agency will be in control muddled at best, setting the stage for a power struggle sure to happen out of the public eye.
Why would the House of Representatives consider a bill that could put a secret agency that has engaged in years of warrantless wiretapping in the middle of the Internet and give it such power? It is hard to figure.
To be sure, the NSA has important expertise and information to bring to the cybersecurity effort. It has classified cyber attack signatures that could be valuable to the private sector, and it is already sharing its expertise with the DHS. But these benefits are easily secured without such overreach.
The Lungren bill -- at least as it stands now -- hits most of the right notes. It keeps the nation's cybersecurity efforts under DHS control, which maintains civilian control while promoting more transparency and accountability to the public. It plainly and narrowly describes the customer data that can be shared and limits government use to cybersecurity related matters. Lungren also gives companies more confidence that they will know how their customer information is being used and shared than they could possibly have under the Rogers bill.
So why is the House leadership trumpeting the Rogers bill and why are so many companies lining up to support it? For companies, the answer is easy: there is freedom to share information with whatever entity you please, blanket immunity for sharing, blanket immunity for a recipient of shared cybersecurity information who fails to take protective measures even when they are clearly needed, and no regulatory burdens are imposed. For House leadership, the answer seems to be that it is not listening to Internet users. Perhaps it's time for us to speak more loudly.
Here is how to get cybersecurity information sharing legislation back on track: by precisely answering three simple questions with Americans' privacy in mind. What information can be shared? With whom? And for what purposes?
What information can be shared? Congress should narrowly define the specific categories of threat information that can be shared, and the Lungren bill already does this quite well. It permits companies to share only information necessary to describe six specific threat categories, and it requires companies to make reasonable efforts to remove unrelated personal information before sharing.
With whom should information be shared? Congress should ensure that civilian control of cybersecurity is preserved. It should put DHS firmly in control, working with the private sector to help companies exchange information under strict control. If narrowly defined cyber threat information is to flow to the government, it should generally go to DHS. Information about cyber attacks on classified systems maintained by defense contractors could also be shared with the Pentagon.