- Twitch streamer’s mom, roommate get into brawl during live broadcast Thursday 8:41 PM
- Top NFL draft pick Nick Bosa scrubs racist, homophobic social media activity Thursday 8:18 PM
- Jared Kushner’s ‘comprehensive immigration plan’ is just 2 bullet points Thursday 8:16 PM
- ‘Lil Billie Xanish’ is the deepfake mashup of Billie Eilish and Lil Xan Thursday 5:10 PM
- Gossip account the Shade Room to launch 3 original series on Instagram Thursday 4:46 PM
- Biden says he asked Obama not to endorse him—but people aren’t buying it Thursday 3:17 PM
- Marvel makes more money than Harry Potter and Star Wars combined Thursday 3:13 PM
- ‘Avengers: Endgame’: Obituaries for the fallen heroes Thursday 2:51 PM
- T-Mobile, Verizon admit most Americans won’t see fast 5G Thursday 1:52 PM
- PlayStation Vue is offering a sweet streaming deal for a limited time Thursday 1:42 PM
- Twitter reportedly worried banning white nationalists would also flag some Republicans Thursday 1:31 PM
- Lawyer of cop in viral assault case calls the crime a ‘Facebook misdemeanor’ Thursday 12:33 PM
- Biden’s ‘all men’-focused announcement gets roasted Thursday 11:49 AM
- Skillshare is offering new users one month of premium for free Thursday 10:44 AM
- Report: Facebook is punishing Black people for talking about racism (updated) Thursday 10:15 AM
This isn’t a good sign for CISA.
Privacy advocates have found an unlikely ally in the fight against a major cybersecurity bill: The Department of Homeland Security.
In a letter to Sen. Al Franken (D-Minn.), Deputy Secretary of Homeland Security Alejandro Mayorkas wrote that CISA unwisely tasked the attorney general, and not DHS, with creating a framework for private companies and government agencies to share details of cyberthreats.
“The scope of the Attorney General’s policies and procedures outlined in the Cybersecurity Information Sharing Act is problematic.”
“The scope of the Attorney General’s policies and procedures outlined in the Cybersecurity Information Sharing Act is problematic,” Mayorkas wrote in response to a letter from Franken soliciting DHS’ input on the bill. “Because DHS will be operating the federal government’s capability to receive cyber threat information … it is not feasible for another agency to issue the procedures that will govern the day-to-day operations of such a capability.”
Neither DHS nor the Department of Justice responded to requests for comment about the letter.
Mayorkas singled out what he called CISA’s weak privacy protections, joining an argument advanced by civil-liberties activists that the bill could significantly increase the amount of Americans’ private data that reaches government servers.
“The authorization to share cyberthreat indicators and defensive measures with ‘any other entity or the Federal Government,’ ‘notwithstanding any other provision of law’ could sweep away important privacy protections,” Mayorkas wrote.
The letter argued that DHS needed to be able to “apply a privacy scrub” to data shared by companies to ensure that Americans’ private information did not make it to government servers through the information-sharing process.
DHS, Mayorkas wrote to Franken, shared the senator’s “concern that sharing cyberthreat information ‘not subject to any delay [or] modification’ raises privacy and civil-liberties concerns and would complicate efforts to establish an automatic sharing regime.”
President Barack Obama submitted a cyber-data-sharing proposal in January, and Mayorkas wrote that that framework offered clearer, stronger language and properly vested DHS, not the Justice Department, with the authority to create sharing guidelines. The president’s plan also does not allow private companies that suffer cyberattacks to respond with “defensive measures” meant to mitigate the threat. CISA defines these measures only vaguely, and opponents argue that they could lead to all-out cyberwar.
“The DHS letter raises many of the same concerns about CISA that we’ve raised in the privacy and security community since it was first introduced,” said Robyn Greene, policy counsel at New America’s Open Technology Institute. “The fact that the government agency charged with implementing this new information-sharing regime is raising these red flags should tell senators that they need to slow-down and re-assess what they are trying to do.”
DHS’ objections to the bill are partly the result of self-interest. The department runs the National Cybersecurity and Communications Integration Center (NCCIC), which already oversees coordination between government agencies and businesses over cyberthreats.
NCCIC is not a law-enforcement or intelligence operation, and Mayorkas wrote that CISA’s plan to allow “sharing directly with law enforcement and intelligence entities will be of significant concern to the privacy and civil-liberties communities.”
The Senate is expected to begin considering CISA as soon as this Thursday, although initial votes could be pushed back until after the summer recess depending on how legislation to defund Planned Parenthood is handled in the upper chamber.
Photo via U.S. Department of Homeland Security/Flickr (PD)
Eric Geller is a politics reporter who focuses on cybersecurity, surveillance, encryption, and privacy. A former staff writer at the Daily Dot, Geller joined Politico in June 2016, where he's focused on policymaking at the White House, the Justice Department, the State Department, and the Commerce Department.