As Senate moves on cyber, DHS cautions on privacy

The Senate could move in the news few days on sweeping cybersecurity legislation that would promote information sharing on cyber threats between government and the private sector. But the Department of Homeland Security is warning that the measure could create unintended privacy risks for Internet users.

The Cybersecurity Information Sharing Act would authorize DHS to create a real-time information sharing portal for Internet service providers, network operators and other firms to share threat indicators with government. The bill was approved by the Senate Select Committee on Intelligence by a vote of 14-1 in March.

DHS Deputy Secretary Alejandro Mayorkas said that the language of the bill requiring information sharing in "real time" and "not subject to any delay [or] modification," will limit the ability of the department to scrub incoming threat indicators for irrelevant personally identifiable information. In a reply to written questions from Sen. Al Franken (D-Minn.), Mayorkas noted that the language of the bill would put DHS in the position of contributing to the "the compromise of personally identifiable information by spreading it further," in the course of information sharing. He suggested tweaking the language to require DHS to pass along threat information in "as close to real time as practicable" and "in accordance with applicable policies and procedures."

Mayorkas also observed that the legislation would diminish the central role of the National Cybersecurity and Communications Integration Center as the nerve center for public-private cyber threat detection. The Senate bill has language that loops in law enforcement and intelligence agencies in the pipeline for direct sharing of threat information. The Obama administration, Mayorkas said, "has consistently maintained that a civilian entity, rather than a military or intelligence agency, should lead the sharing of cyber threat indicators and defensive measures with the private sector."

DHS also took issue with provisions in the bill that would give an "expansive" definition of what constitutes a cyber threat, a potentially "restrictive" designation of information delivered to the government as proprietary, and the grant of authority to the attorney general to design operational procedures for the DHS information-collection capabilities. Mayorkas also urged the Senate to add an explicit grant of authority for the government to make the DHS network protection system Einstein the default cybersecurity system for federal networks.

Franken said in a statement that the DHS letter "makes it overwhelmingly clear that, if the Senate moves forward with this cybersecurity information-sharing bill, we are at risk of sweeping away important privacy protections and civil liberties, and we would actually increase the difficulty and complexity of information sharing, undermining our nation's cybersecurity objectives."

Retired House Intelligence Committee Chairman Mike Rogers slammed the DHS letter for what he said were familiar but unfounded privacy concerns. As committee chairman in 2013, the Michigan Republican helped pass an information-sharing bill whose Senate version never won enough backing to advance during his tenure.

“The one trump card that [opponents of information-sharing bills] will throw down, and they did it in the DHS letter, to stop the legislation is 'we have privacy concerns.' That stops everything," Rogers said Aug. 3 at a cybersecurity panel discussion hosted by the Hudson Institute.

"Now our own government is going to work against itself for God only knows how long, again, over the details of how we come up with a cyber-sharing regime in the United States," added Rogers.

The House passed its own information sharing bill that would address many of the privacy concerns cited in the Mayorkas letter, including requiring a civilian hub for collecting and disseminating threat information. That bill sailed through on a vote of 355-63 in April.

Sean Lyngaas contributed to this story.