OTI Statement on President’s Legislative Proposal for Cyber Information Sharing

Today, the White House made public a package of legislative proposals aimed at improving cybersecurity. The package included a proposal that would significantly expand companies’ authority to share information pertaining to “cyber threats” with the Department of Homeland Security, which would then disseminate that information to other relevant federal entities, including the NSA and other military and intelligence agencies with cyber-related missions.

Robyn Greene, Policy Counsel at New America’s Open Technology Institute, stated: “Although the Administration's proposal includes some modest privacy improvements compared to CISPA, the controversial cybersecurity bill that was just reintroduced in the House, it ultimately falls short when it comes to addressing the significant privacy and civil liberties concerns that come with companies’ sharing more data with the government.

“We appreciate that the proposal, unlike CISPA, requires companies to remove some personal information from data that they share with the government, and does not authorize companies to act as vigilantes and retaliate against cyber-intruders with ill-defined countermeasures that could harm innocent computer users. However, it fails to effectively cement civilian control by the Department of Homeland Security over the information-sharing program, by requiring near real time sharing with military and intelligence agencies like the NSA who should only receive that information when it is necessary to address a significant cyber threat."

Kevin Bankston, Policy Director of New America’s Open Technology Institute, added: “After nearly two years of shocking revelations about mass surveillance by the National Security Agency, the appropriate response is for the White House to work with Congress to quickly pass surveillance reform—not add to the amount of information being sucked up by the NSA’s vacuum cleaner with cybersecurity legislation that does too little to protect Americans’ privacy.” Added Bankston, “In the wake of the Sony cyber-incident, the Administration is clearly under pressure to take action on cybersecurity. But we should remember that the attacks on Sony were made possible due to that company’s poor security practices and outdated software, not due to a lack of information sharing. Lawmakers should be more focused on developing policies that will foster more secure software and more effective security practices, rather than trying to solve the cybersecurity problem with more Internet surveillance.”