New Cybersecurity Bill May Actually Take Privacy Concerns Seriously
from the it's-a-start dept
After all the concerns raised about CISPA and other cybersecurity legislation, Senators Lieberman and Collins introduced a heavily revised version of their cybersecurity bill. The entire thing is an insane 211 pages, but as a first pass, the ACLU (who has been highly critical of nearly all previous proposals) sounds cautiously optimistic that the new bill contains important privacy protections. From the ACLU’s initial analysis, this version of the bill will:
- Ensure that companies who share cybersecurity information with the government give it directly to civilian agencies, and not to military agencies like the National Security Agency. The single most important limitation on domestic cybersecurity programs is that they are civilian-run and do not turn the military loose on Americans and the internet.
- Ensure that information shared under the program be “reasonably necessary” to describe a cybersecurity threat.
- Restrict the government’s use of information it receives under the cyber info sharing authority so that it can be used only for actual cybersecurity purposes and to prosecute cyber crimes, protect people from imminent threat of death or physical harm, or protect children from serious threats.
- Require annual reports from the Justice Department, Homeland Security, Defense and Intelligence Community Inspectors General that describe what information is received, who gets it, and what is done with it.
- Allow individuals to sue the government if it intentionally or willfully violates the law.
The ACLU specifically calls out Senators Durbin and Franken for helping to get these changes included in the bill. I agree that all of these are important and useful changes compared to what had been in previous proposals. Focusing on civilian agencies rather than the NSA is a big one, since much of the fight over competing visions of the bill were really a turf war over who got to control the information (and the budget): Homeland Security or the NSA.
The bill also removes some of the regulatory requirements for organizations that run “critical infrastructure,” in favor of a more voluntary approach to setting up best practices, which may make the bill more palatable for some.
That said, we’re still waiting for an actual justification of cybersecurity bills that doesn’t include exaggerations of the threats that are out there, or Hollywood-scripted stories about planes falling from the skies that have little basis in reality. Moreover, though the claim has always been that these bills are important because the government is being legally prevented from sharing and receiving vital information, nobody has actually pointed to the specific legal obstacles that exist — and the government already has information sharing programs that don’t seem to require any new legislation. Also, any bill that’s 211-pages long is something to be concerned about, as the number of “hidden” easter eggs could be immense and serious. But, compared to previous cybersecurity bills, this certainly sounds like a big step in the right direction.