The Cyber Intelligence Sharing and Protection Act (HR3523) now working its way through Congress “encourages” the private sector to voluntarily share and exchange information with members of the “intelligence community.” But does HR3523 dilute years of privacy data protection in the name of security?
HR 3523 expands on the current practice of the National Security Agency (NSA) to share cyberattack signatures and data that indicate a potential breach with ISPs used by defense contractors.
If the bill passes, smaller companies will benefit by having at their disposal the same classified attack signatures from the NSA to defend their networks that larger companies now receive.
In typical Congressional-speak, the bill refers to companies as “certified” or “protected entities.”
In addition to sharing data with NSA and other security agencies, companies would be able to share private customer communications data among themselves for mutual self-protection without fear of a civil suit or federal or state criminal charges.
“No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity … or an officer, employee or agent of a protected entity …” according to the bill.
Protected entities also are not liable “for not acting on information obtained or shared in accordance with this section.”
According to a letter sent by ACLU legislative counsel Michelle Richardson to Mich. Rep. Mike Rogers and Maryland Rep. C.A. "Dutch" Ruppersberger, the two sponsors of HR 3523, the bill would “create a cybersecurity exception to all privacy laws.”
The Center for Democracy & Technology (CDT) is also weighing in on the bill, claiming it will "expand the government’s role in monitoring private communications," and once shared the information could be "used for any purpose that is not specifically prohibited."
Then there is the section of the bill I find rather humorous.
It states the federal intelligence community can only share information with those in the private sector who have an “appropriate security clearance.” But at the same time the bill authorizes the chief of a particular government intelligence group to grant a security clearance on a temporary basis to an employee or officer of a certified entity.
That means anyone from the CEO of Chuckie Cheese to the CEO of Charles Schwab potentially could be granted clearance to some pretty sensitive information, albeit temporarily. And who wouldn’t want bragging rights to a top security clearance? But how well will the people receiving these temporary security clearances be vetted?
Finally, the opt-in, opt-out legislation is reminiscent of the 55 mph national speed limit, which also encouraged states to opt-in voluntarily. Of course, if the states opted out, they did not receive federal money for highway improvement.