DHS Issues a Big Warning About the Senate's Cyber Bill
DHS said Monday the Senate's cyberinformation-sharing bill would "sweep away important privacy protections."
The Homeland Security Department said in an official letter that a cyberinformation-sharing bill under consideration in the Senate would be detrimental to Americans' privacy and the country's cybersecurity.
The agency said a provision in the bill that authorizes the private sector to share cyberthreat information with any federal agency would "increase the complexity and difficulty of a new information sharing program" and "sweep away important privacy protections."
DHS Deputy Secretary Alejandro Mayorkas, who signed the letter, also wrote that distributing information across many agencies would mean the "inefficiency of any information sharing program will markedly increase; developing a single, comprehensive picture of the range of cyber threats faced daily will become more difficult."
The Cybersecurity Information Sharing Act passed out of the Senate Intelligence Committee nearly unanimously in March, but some lawmakers have since raised questions about its privacy protections and efficiency. Supporters on both sides of the aisle say it will facilitate cyberthreat sharing between the private sector and the government, thereby making it easier for both to detect and shut down online intrusions.
The letter, a response to a request for information from Sen. Al Franken, was sent Friday and released by the Minnesota Democrat's office Monday. The problems DHS outlines in the letter mirror many of the concerns that privacy advocates and security experts have raised about the bill, which could come up for a vote in the Senate this week before the chamber breaks for August recess.
In releasing the DHS letter, Franken said Monday that CISA is not yet ready for a vote.
"The Department of Homeland Security's letter makes it overwhelmingly clear that, if the Senate moves forward with this cybersecurity information-sharing bill, we are at risk of sweeping away important privacy protections and civil liberties, and we would actually increase the difficulty and complexity of information sharing, undermining our nation's cybersecurity objectives," he said in a statement.
Franken, an outspoken privacy advocate in the Senate, asked DHS last month to set out any concerns it may have with the bill's privacy, effectiveness, and efficiency. The agency identified a number of issues with the bill, including a provision that would make it difficult for the agency to anonymize incoming data and preserve Americans' privacy, and a worry that the sheer volume of information that would be shared under the law would be overpowering.
DHS has been intimately involved in cyberinformation-sharing ever since recent legislation created the National Cybersecurity and Communications Integration Center cyberthreat clearinghouse within the agency. A number of federal agencies and over a hundred private-sector companies participate in DHS's information-sharing program.
In the response to Franken's request, DHS said a stronger information-sharing law should preserve the NCCIC as the hub for any expanded program, rather than spreading cyberthreat information out across government agencies.
The agency also said it was concerned that an allowance in the Senate bill for companies to mark information they share with the government as proprietary could get in the way of the program's goals and prevent agencies from acting on the cyberthreat information they receive. DHS recommended that information, once anonymized, no longer be regarded as proprietary.
With only a week before the Senate adjourns for the summer, CISA is up against a ticking clock. Senators are working to reach an agreement to move forward with the bill early this week, but lawmakers from both parties are clamoring to add amendments to the bill.
A spokesman for Senate Majority Leader Mitch McConnell said the senator wants to move to the cyber bill immediately after a vote on defunding Planned Parenthood on Monday afternoon. The bill to defund Planned Parenthood is not expected to pass.
If it does not get a vote this week, the bill will get shunted to the fall, where it will compete for senators' attention with other pressing issues, such as fights over appropriations and the debt ceiling.