Cybersecurity pros slam threat information-sharing bills

Sixty-five cybersecurity professionals and academics have asked Congress to reject three versions of information-sharing bills over privacy concerns.

Sen. Dianne Feinstein (D) of Calif., vice chairman of the Senate Intelligence Committee, is among the members of Congress security professionals are urging to reject pending information-sharing legislation.

Joshua Roberts/Reuters

April 16, 2015

More than 65 cybersecurity professionals and academics have come out against a trio of bills moving through Congress that are meant to enable information sharing about digital threats between businesses and the government. 

In a letter sent today to ranking members of the House and Senate Intelligence Committees and the chair of the House Homeland Security Committee, they are urging Congress reject the controversial Cybersecurity Information Sharing Act and two similar bills.

"We do not need new legal authorities to share information that helps us protect our systems from future attacks," they wrote. "Generally speaking, security practitioners can and do share this information with each other and with the federal government while still complying with our obligations under federal privacy laws."

What happens if Trump tries to overturn another election loss?

The signatories of the letter take issue with the potential privacy implications of the bills. "The bills weaken privacy law without promoting security," they said in the letter

This is not the first time the information sharing bills have been criticized by privacy advocates. Previously, critics have argued that an information sharing law could expose even more personal data held by tech companies to agencies such as the National Security Agency or to the FBI.

In order to support an information sharing bill, they have asked that it contain the following elements:

  1. "Narrowly define the categories of information to be shared as only those needed for securing systems against future attacks;
  2. Require firms to effectively scrub all personally identifying information and other private data not necessary to identify or respond to a threat;
  3. Not allow the shared information to be used for anything other than securing  systems."

Signatories include representatives from technology and security companies such as Amazon, Cisco, Twitter, Rapid7, and Veracode, as well as academics from the University of California at Berkeley, the Massachusetts Institute of Technology, and Yale University.