- Seed University might actually be the first good influencer school Tuesday 9:35 PM
- Black couple says they were accused of stealing during marriage proposal Tuesday 6:57 PM
- How to live stream Robert Mueller’s testimony Tuesday 6:00 PM
- ‘MAGA Bomber’ believed that antifa was trying to murder Papa John’s employees Tuesday 5:23 PM
- Forever 21 under fire for sending Atkins diet bars with online orders Tuesday 4:56 PM
- Apple denies boosting its own apps in App Store Tuesday 4:25 PM
- The new Overwatch hero is a naked foot enthusiast, apparently Tuesday 4:19 PM
- Bella Thorne comes out as pansexual Tuesday 3:17 PM
- Macy’s pulls portion-control plates after social media uproar Tuesday 2:59 PM
- John Oliver confirms the internet’s suspicions about that ‘Lion King’ cast photo Tuesday 2:14 PM
- Report: Fake Libra accounts rampant on Facebook, Instagram Tuesday 2:10 PM
- Tennessee neighbors form human chain to help father and son escape ICE Tuesday 1:57 PM
- Google settled two multi-million dollar lawsuits this week Tuesday 1:26 PM
- How to live stream Guadalajara vs. Atletico Madrid Tuesday 12:47 PM
- Forget Area 51—People are planning to storm the Bermuda Triangle Tuesday 12:41 PM
This isn’t a good sign for CISA.
Privacy advocates have found an unlikely ally in the fight against a major cybersecurity bill: The Department of Homeland Security.
In a letter to Sen. Al Franken (D-Minn.), Deputy Secretary of Homeland Security Alejandro Mayorkas wrote that CISA unwisely tasked the attorney general, and not DHS, with creating a framework for private companies and government agencies to share details of cyberthreats.
“The scope of the Attorney General’s policies and procedures outlined in the Cybersecurity Information Sharing Act is problematic.”
“The scope of the Attorney General’s policies and procedures outlined in the Cybersecurity Information Sharing Act is problematic,” Mayorkas wrote in response to a letter from Franken soliciting DHS’ input on the bill. “Because DHS will be operating the federal government’s capability to receive cyber threat information … it is not feasible for another agency to issue the procedures that will govern the day-to-day operations of such a capability.”
Neither DHS nor the Department of Justice responded to requests for comment about the letter.
Mayorkas singled out what he called CISA’s weak privacy protections, joining an argument advanced by civil-liberties activists that the bill could significantly increase the amount of Americans’ private data that reaches government servers.
“The authorization to share cyberthreat indicators and defensive measures with ‘any other entity or the Federal Government,’ ‘notwithstanding any other provision of law’ could sweep away important privacy protections,” Mayorkas wrote.
The letter argued that DHS needed to be able to “apply a privacy scrub” to data shared by companies to ensure that Americans’ private information did not make it to government servers through the information-sharing process.
DHS, Mayorkas wrote to Franken, shared the senator’s “concern that sharing cyberthreat information ‘not subject to any delay [or] modification’ raises privacy and civil-liberties concerns and would complicate efforts to establish an automatic sharing regime.”
President Barack Obama submitted a cyber-data-sharing proposal in January, and Mayorkas wrote that that framework offered clearer, stronger language and properly vested DHS, not the Justice Department, with the authority to create sharing guidelines. The president’s plan also does not allow private companies that suffer cyberattacks to respond with “defensive measures” meant to mitigate the threat. CISA defines these measures only vaguely, and opponents argue that they could lead to all-out cyberwar.
“The DHS letter raises many of the same concerns about CISA that we’ve raised in the privacy and security community since it was first introduced,” said Robyn Greene, policy counsel at New America’s Open Technology Institute. “The fact that the government agency charged with implementing this new information-sharing regime is raising these red flags should tell senators that they need to slow-down and re-assess what they are trying to do.”
DHS’ objections to the bill are partly the result of self-interest. The department runs the National Cybersecurity and Communications Integration Center (NCCIC), which already oversees coordination between government agencies and businesses over cyberthreats.
NCCIC is not a law-enforcement or intelligence operation, and Mayorkas wrote that CISA’s plan to allow “sharing directly with law enforcement and intelligence entities will be of significant concern to the privacy and civil-liberties communities.”
The Senate is expected to begin considering CISA as soon as this Thursday, although initial votes could be pushed back until after the summer recess depending on how legislation to defund Planned Parenthood is handled in the upper chamber.
Photo via U.S. Department of Homeland Security/Flickr (PD)
Eric Geller is a politics reporter who focuses on cybersecurity, surveillance, encryption, and privacy. A former staff writer at the Daily Dot, Geller joined Politico in June 2016, where he's focused on policymaking at the White House, the Justice Department, the State Department, and the Commerce Department.