from the it's-not-what-you-think dept
The authorization to share cyber threat indicators and defensive measures with “any other entity or the Federal Government,” “notwithstanding any other provision of law” could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers. (This concern is heightened by the expansive definitions of cyber threat indicators and defensive measures in the bill. Unlike the President’s proposal, the Senate bill includes “any other attribute of a cybersecurity threat” within its definition of cyber threat indicator and authorizes entities to employ defensive measures.)This has led to some surprise among people who don't follow this that closely, that "even Homeland Security" doesn't like the bill. But that's really ignoring history and what this fight has always been about. Going back many, many years we've been highlighting that the truth behind all of these "cybersecurity" bills is that it's little more than a bureaucratic turf war over who gets to control the purse strings for the massive, multi-billion dollar budget that will be lavished on government contractors for "cybersecurity solutions." That the bill might also boost surveillance capabilities is little more than a nice side benefit.
The key players in this turf war? The NSA and Homeland Security (with the Justice Department occasionally waving its hand frantically in the corner shouting "don't forget us!"). From the beginning, one of the key questions people have asked is "who gets the data?" Obviously, "none of the above" is probably the best answer, but of the remaining options, Homeland Security tends to be the least worst option out of a list of three really bad options. And, so far, the White House has repeatedly pushed to put DHS in charge, giving it more power over the budget. However, CISA does not put DHS in charge.
So that is why DHS is complaining. Yes, the "privacy" concerns are there, but DHS's true concern is that it's not DHS running the show (and controlling the budget). Reread the DHS letter with this as background, and it appears a lot more understandable:
The Administration has consistently maintained that a civilian entity, rather than a military or intelligence agency, should lead the sharing of cyber threat indicators and defensive measures with the private sector. The National Cybersecurity Protection Act of 2014 recognized the NCCIC to be responsible for coordinating the sharing of information related to cybersecurity risks and to be the federal civilian interface for multi-directional and cross-sector sharing of information about cybersecurity risks and warnings. The NCCIC has representatives from the private sector and other federal entities involved in cyber information sharing, from those with whom we have an agreement and share consistently, to those that passively receive information from the center.There's a lot more like that in the letter as well.
Equally important, if cyber threat indicators are distributed amongst multiple agencies rather than initially provided through one entity, the complexity–for both government and businesses–and inefficiency of any information sharing program will markedly increase; developing a single, comprehensive picture of the range of cyber threats faced daily will become more difficult. This will limit the ability of DHS to connect the dots and proactively recognize emerging risks and help private and public organizations implement effective mitigations to reduce the likelihood of damaging incidents. DHS recommends limiting the provision in the Cybersecurity Information Sharing Act regarding authorization to share information, notwithstanding any other provision of law, to sharing through the DHS capability housed in the NCCIC. This would not preclude sharing with any federal entity (indeed, DHS maintains an obligation to share rapidly with federal partners independent of any legislation), and it would further incentivize sharing through the NCCIC.
Don't get me wrong. Having DHS come out against CISA and speaking out about the privacy concerns the bill raises is great. But don't think that DHS is against these kinds of "information sharing" bills at all. It is not. It just wants to make sure that it's the queen bee when it comes to who's in charge of cybersecurity information... and, with it, who gets to control the budget.