Privacy concerns over House Intelligence cybersecurity info sharing bill

Tools

The House Intelligence Committee approved Dec. 1 legislation (H.R. 3523) that would set up a cybersecurity threat information sharing mechanism between the intelligence community and the private sector.

The bill continues to come under criticism from privacy advocates however, despite the inclusion during the markup of an amendment that would restrict how the government can make use of the information collected from the private sector.

The amendment (.pdf), offered by the bill's two sponsors, House Intelligence Chairman Mike Rogers (R-Mich.) and Ranking member Dutch Ruppersberger (D-Md.) would require that the information shared with the government have "at least of significant purpose" related to cybersecurity or national security.

The use limitation amendment is too broad since the shared information could still be used for other purposes, said Jim Dempsey, Center for Democracy and Technology vice president for public policy, in an interview.

"We want to have limitations both on the sharing side and on the use side," he added. The bill defines cyber threat information to be shared by the private sector as information "directly pertaining to a vulnerability of, or threat to a system or network of a government or private entity."

The bill should specify the information to be shared, such as attack signatures or attribution information, Dempsey added.

The bill as approved by the committee also faces some skepticism  from Rep. Jim Langevin (D-R.I.), co-chair of the Congressional Cybersecurity Caucus. While the bill is an "important first step," he said, "I still have very strong privacy concerns that regrettably could not be addressed in the committee."

For more:
- go to the THOMAS page for H.R. 3523

Related Articles:
DOJ seeks to expand Computer Fraud and Abuse Act 
U.S. indicts 7 in clickjacking scheme 
Cybersecurity threats require public-private partnership, says Langevin