In an effort to defend against debilitating cyberattacks like those recently suffered by Sony, Congress on Wednesday will vote on legislation that would reduce restrictions on how companies and government agencies share information about hacking threats. The Protecting Cyber Networks Act, a bill authored by the House of Representative's Intelligence Committee, is expected to pass tomorrow with broad support from Democrats and Republicans.
Proponents of the PCNA on both sides of the aisle argue that greater government–private sector collaboration around cyberthreat detection is crucial to defending against electronic breaches and espionage. And the bill is intended to foster this by affording liability protection to companies that share identity-stripped information about their users with the government. The absence of such protection has been a stumbling block for garnering industry support for this kind of voluntary information sharing. But critics of the bill worry that cybersecurity is being used as a pretext to provide more personal information, previously unobtainable, to the government.
Indeed, despite the bipartisan momentum, dozens of advocacy groups and academics oppose the bill, citing privacy and civil liberties concerns. In a letter sent to members of Congress, a coalition of public interest groups and academics opposed to the bill argued PCNA would authorize companies to more closely monitor innocent users, afford more surveillance power to the National Security Agency, and would create scenarios where law enforcement may use cyberthreat data to prosecute non-cyber-related crime.
"The revelations of the past two years concerning the intelligence community's abuses of surveillance authorities and the scope of its collection and use of individuals' information demonstrates the potential for government overreach, particularly when statutory language is broad or ambiguous," states the letter, signed by groups including Human Rights Watch, the Electronic Frontier Foundation, and The Center for National Security Studies.
The House Permanent Select Committee on Intelligence insists these criticisms are unwarranted. Patrick Boland, who serves as the communications director for Rep. Adam Schiff and for the Intelligence Committee for the minority, told BuzzFeed News that the current version of the PCNA successfully addresses such privacy concerns, many of which were leveled against a previous incarnation of information sharing legislation.
"In the process of drafting this bill, protecting privacy was at the forefront throughout, and we consulted extensively with privacy and civil liberties groups, incorporating their suggestions in many cases," Boland said. "This is a strong bill that protects privacy, and one that I expect will get even better as the process goes forward — we expect to see large bipartisan support on the floor."
Jack Langer, the Intelligence Committee communications director, told BuzzFeed News that companies may only share cyberthreats for cybersecurity purposes — when they're seeking to protect their own systems or networks.
"The bill requires companies to strip out personally identifiable information (PII) not directly related to a cyberthreat before sharing cyberthreat indicators with the federal government. Upon receipt, the government is required to perform an additional scrub to ensure all unnecessary PII is removed," he said. He noted as well that the bill grants no new government surveillance authorities and expressly denies companies the authority to send cyberthreats directly to the NSA or to the military.
"The bill does not authorize sharing cyberthreat information directly with the NSA or any [Department of Defense] entity, and we envision that most sharing will occur through a [Department of Homeland Security] portal," Boland said. "Once cyberthreat information is shared through this civilian portal, and only after it has undergone a scrub on both the private side and on the government side to remove personal information, it can be shared with other government entities, including DOD and NSA."
Even with such assurances, some of the PCNA's critics remain concerned. Jake Laperruque, a privacy, surveillance, and security fellow at the Center for Democracy and Technology, another group that signed the letter, opposes the bill as it stands. "It seems like this bill is less cybersecurity and more cybersurveillance," he said. Although, he does support a number of amendments that may be considered with the bill, including a bipartisan one that would explicitly limit the scope of cyberthreat sharing and use to cybercrime.
Hamza Shaban is a technology policy reporter for BuzzFeed News and is based in Washington, DC.
Contact Hamza Shaban at Hamza.Shaban@buzzfeed.com.
Got a confidential tip? Submit it here.