On July 31, the Department of Homeland Security (DHS) submitted a letter to Senator Al Franken (D-MN) in which it outlined some of its chief concerns with the Senate version of the Cybersecurity Information Sharing Act (CISA).
The bill encourages companies to share cyber threat indicators (CTIs) with the government, but defines CTIs so broadly that government could easily get it hands on personally identifiable information (PII) unrelated to potential cyber attacks. DHS agrees with TechFreedom that the “expansive definitions of [CTIs]” could “sweep away important privacy protections,” creating serious privacy and civil liberties concerns. Like past bills, CISA also contains measures requiring “real-time” sharing of information and ensuring that CTI’s not be “subject to any delay, modification, or any other action that could impede real-time receipt by all of the appropriate Federal entities.”
Notwithstanding privacy concerns, sharing of PII could slow the analysis process, as Admiral Mike Rogers, Director of the NSA and Cyber Command, explained to Congress, Indeed, 67 leading technologists have sent a letter to congress explaining how the kind of data that information security personnel need to protect networks would not contain the types of PII that cause some of the greatest privacy concerns.
We hope that the Senate will take into account the Department’s concerns along with those TechFreedom has outlined.