This isn’t a good sign for CISA.
Privacy advocates have found an unlikely ally in the fight against a major cybersecurity bill: The Department of Homeland Security.
In a letter to Sen. Al Franken (D-Minn.), Deputy Secretary of Homeland Security Alejandro Mayorkas wrote that CISA unwisely tasked the attorney general, and not DHS, with creating a framework for private companies and government agencies to share details of cyberthreats.
“The scope of the Attorney General’s policies and procedures outlined in the Cybersecurity Information Sharing Act is problematic.”
“The scope of the Attorney General’s policies and procedures outlined in the Cybersecurity Information Sharing Act is problematic,” Mayorkas wrote in response to a letter from Franken soliciting DHS’ input on the bill. “Because DHS will be operating the federal government’s capability to receive cyber threat information … it is not feasible for another agency to issue the procedures that will govern the day-to-day operations of such a capability.”
Neither DHS nor the Department of Justice responded to requests for comment about the letter.
Mayorkas singled out what he called CISA’s weak privacy protections, joining an argument advanced by civil-liberties activists that the bill could significantly increase the amount of Americans’ private data that reaches government servers.
“The authorization to share cyberthreat indicators and defensive measures with ‘any other entity or the Federal Government,’ ‘notwithstanding any other provision of law’ could sweep away important privacy protections,” Mayorkas wrote.
The letter argued that DHS needed to be able to “apply a privacy scrub” to data shared by companies to ensure that Americans’ private information did not make it to government servers through the information-sharing process.
DHS, Mayorkas wrote to Franken, shared the senator’s “concern that sharing cyberthreat information ‘not subject to any delay [or] modification’ raises privacy and civil-liberties concerns and would complicate efforts to establish an automatic sharing regime.”
President Barack Obama submitted a cyber-data-sharing proposal in January, and Mayorkas wrote that that framework offered clearer, stronger language and properly vested DHS, not the Justice Department, with the authority to create sharing guidelines. The president’s plan also does not allow private companies that suffer cyberattacks to respond with “defensive measures” meant to mitigate the threat. CISA defines these measures only vaguely, and opponents argue that they could lead to all-out cyberwar.
“The DHS letter raises many of the same concerns about CISA that we’ve raised in the privacy and security community since it was first introduced,” said Robyn Greene, policy counsel at New America’s Open Technology Institute. “The fact that the government agency charged with implementing this new information-sharing regime is raising these red flags should tell senators that they need to slow-down and re-assess what they are trying to do.”
DHS’ objections to the bill are partly the result of self-interest. The department runs the National Cybersecurity and Communications Integration Center (NCCIC), which already oversees coordination between government agencies and businesses over cyberthreats.
NCCIC is not a law-enforcement or intelligence operation, and Mayorkas wrote that CISA’s plan to allow “sharing directly with law enforcement and intelligence entities will be of significant concern to the privacy and civil-liberties communities.”
The Senate is expected to begin considering CISA as soon as this Thursday, although initial votes could be pushed back until after the summer recess depending on how legislation to defund Planned Parenthood is handled in the upper chamber.
Photo via U.S. Department of Homeland Security/Flickr (PD)