The Department of Homeland Security is arguing that a new cybersecurity bill could slow responses to cyberattacks and endanger the rights of U.S. citizens.
In a letter to Sen. Al Franken (D-Minn.), the department said the Cybersecurity Information Sharing Act (CISA), set to hit the Senate floor this week, would create logistical and privacy challenges.
{mosads}The DHS is particularly worried about provisions in the bill that would allow companies to share cyber threat data with agencies other than Homeland Security.
Such language “could sweep away important privacy protections,” wrote Alejandro Mayorkas, the deputy secretary of the DHS.
The DHS fears the bill’s “expansive definitions of cyber threat indicators” would also permit companies to share data unrelated to cyber threats, Mayorkas added.
Under the legislation, the DHS would receive a greater amount of data about hackers from the private sector.
Supporters, including most industry groups, believe this information exchange would help both the public and private sector defend themselves against cyberattacks. But privacy advocates are concerned the bill would allow companies to hand over troves of customers’ personal data to government intelligence agencies.
The agency was writing in response to a series of questions that Franken submitted in recent months. Franken, the top Democrat on the Senate Judiciary Subcommittee on Privacy, Technology and the Law, is opposed to the legislation.
Mayorkas also wrote that a clause calling for the instantaneous sharing of data with multiple agencies “raises privacy and civil liberties concerns and would complicate efforts to establish an automatic sharing regime.”
The DHS has established information sharing arrangements that CISA might weaken, it said.
“If cyber threat indicators are distributed amongst multiple agencies rather than initially provided through one entity, the complexity — for both government and businesses — and inefficiency of any information sharing program will markedly increase; developing a single, comprehensive picture of the range of cyber threats faced daily will become more difficult,” Mayorkas wrote.
The result will actually reduce the government’s ability combat potential hackers, he said.
“This will limit the ability of DHS to connect the dots and proactively recognize emerging risks and help private and public organizations implement effective mitigations to reduce the likelihood of damaging incidents,” Mayorkas added.
The letter comes at an inopportune time for CISA backers.
Senate Majority Leader Mitch McConnell (R-Ky.) has vowed to try and get the bill through the upper chamber before heading out for the August recess.
Opponents chafed at the move, accusing McConnell of intentionally moving the bill on a limited timeframe to avoid a bruising floor debate over privacy concerns.
CISA does enjoy broad, bipartisan backing. The catastrophic hacks at the Office of Personnel Management have only increased pressure on Congress to pass a cyber bill.
The House passed its two complementary pieces of companion legislation by wide margins in April with the White House’s cautious support.
But the DHS letter throws cold water on CISA supporters who were hoping the White House would approve the upper chamber’s bill.
“I think all Americans have a fundamental right to privacy — and it’s especially important in light of advancing technologies that continually threaten to outpace our laws,” Franken said in a statement.
The DHS letter, he added, “makes it overwhelmingly clear” that CISA “would actually increase the difficulty and complexity of information sharing, undermining our nation’s cybersecurity objectives.”