Industry officials have told the House Intelligence Committee that a bill to increase the sharing of cybersecurity-threat information wouldn’t jeopardize privacy — but a fight over the legislation’s civil liberties safeguards is still on the horizon.
The representatives testifying before the panel all support the information-sharing legislation (H.R. 624), in contrast with privacy groups, who did not appear before the committee and who heavily criticized the same legislation last year and then again after it was reintroduced.
The Obama administration also criticized the bill’s privacy protections last year, before it passed the House.
Under the bill, businesses and the federal government would more freely exchange information on cyberthreats. The issue for privacy advocates is how “personally identifiable information” given to the government would be protected and how it would be shared.
Several witnesses said that very little of that information would be included in any exchange. “I’ve never seen a package of threat intelligence that was actionable that also contained what the bad guy took,” said Kevin Mandia, CEO of the computer security company Mandiant.
Others said it was in businesses’ interest to protect client data or said that information given to the government wasn’t as big a privacy threat as the risk of not acting on legislation.
“The greater privacy threat is from the attacker coming over the wall,” said John Engler, president of the Business Roundtable.
One provision of the bill would allow companies to “minimize” some details in the information it provides the government. Rep. Adam Schiff, D-Calif., asked whether it would be an undue burden to ask companies to take “reasonable” steps to do so. Engler said he did not think it would but said there would need to be leeway for companies to exercise their judgment in an emergency.
Internet activist groups Demand Progress and Fight for the Future launched an online campaign aimed at presenting 1 million signatures in opposition to the bill, via e-mail and Twitter, to its chief sponsors, Intelligence Chairman Mike Rogers (R-MI) and C.A. Dutch Ruppersberger of Maryland, the top Democrat on the panel. “While the bill’s sponsors claim that they are taking privacy into account, no civil liberties groups were asked to testify at this morning’s hearing, and a wide range of advocacy groups have denounced the bill,” the groups noted in a news release.
Besides seeking stronger minimization requirements and limits on how shared information can be used, privacy groups also oppose allowing information to be shared directly with military and intelligence agencies rather than through civilian agencies.
Rogers said there are too many “unfounded fears” about his bill’s privacy impact from civil liberties groups. “There’s this huge gap in what happens and in what they think happens,” he said.