Cybersecurity legislation is on the Senate floor this week, but widespread worry over the security of Americans’ personal information threatens the likelihood of the bill passing before the August recess.
Another question floating around among cybersecurity experts is more fundamental—will the bill actually improve computer security?
S. 754 is already vocally opposed by Sen. Ron Wyden (D-Ore.), who was the only member of the Senate Intelligence Committee to vote against the bill as it ultimately passed the panel 14-1.
Wyden is not alone in voicing these concerns. Both Democrats and Republicans in the Senate, along with the Department of Homeland Security, harbor growing apprehensions. Keith Chu, Wyden’s press secretary, said Monday that there is a “strong and significant number” of senators from both parties who want to see amendments to the bill.
“Clearly there are members on both sides of the aisle who think there need to be a number of amendments,” he said.
In a press conference call on Friday, Wyden reiterated his worries that the bill “collects enormous amounts of personal information on Americans and has very little, if anything, to protect the privacy of the American people.”
Sen. Al Franken (D-Minn.) has also been outspoken regarding privacy and wants to see the introduction of amendments to address the concerns.
He believes it’s crucial that senators have a real opportunity to offer amendments, specifically ones that would address the standards for the removal of unnecessary personal information and the scope of the bill’s authorizations, according to a Franken aide.
The bill would provide liability protections to nongovernment entities that share electronic information with federal agencies that, in theory, could help protect from a cyberattack. The idea behind the measure is that increased communication would improve the ability of all to protect against cyberthreats.
However, there are concerns over the bill’s complicated new structure that includes any federal agency in the data sharing. Currently, only the Department of Homeland Security has access.
And the bill has no language stipulating a filtering process to take out personal information in this information sharing process.
Franken released a July 31 letter on Monday from the Department of Homeland Security that expresses concerns that the bill would not only infringe on Americans’ privacy rights, but it would also fail to keep the country safe.
“While the Cybersecurity Information Sharing Act seeks to incentivize nonfederal sharing through a DHS portal, the bill’s authorization to share with any federal agency ‘notwithstanding any other provision law’ undermines that policy goal, and will increase the complexity and difficulty of a new information sharing program,” the DHS letter read.
Jonathan Mayer, a cybersecurity fellow at the Center for International Security and Cooperation at Stanford University, agrees that increased information sharing might not help improve cybersecurity.
“I’m exceedingly skeptical that information sharing legislation would meaningfully improve computer security,” he wrote in an email. “That appears to be the consensus among professional and academic computer security experts. Businesses already share threat information with each other, on a daily basis. The legal obstacles are negligible; federal communications privacy law already has several exceptions that allow protecting against attackers.”
Mayer went on to say that the Senate’s continued work in attempting to pass information sharing legislation since 2012 might be blocking lawmakers from solving cybersecurity needs in other ways.
He wrote, “The theory seems to be that, because Congress has been working on these proposals for years, they deserve to eventually pass. I think that perspective is backward.