America's cyber-security proto-laws branded 'surveillance in disguise'
You wait ages for a computer security bill, then two come along at once
The US House of Representatives has passed not one but two computer security bills that allow companies and Uncle Sam to share information about citizens, cyber-attacks and software vulnerabilities – and removes any legal liabilities for firms doing so.
The Protecting Cyber Networks Act [PDF] (PCNA), which passed by 307 votes to 116, demands a new Cyber Threat Intelligence Integration Center – a clearing house for material that can be swapped between companies, or with the federal government.
That data could include citizens' private records and potentially sensitive files. So, under the proposed law, companies will be expected to anonymize the intelligence before sharing it, and a federal body will check that personally identifying information has been stripped out before releasing the information to government bodies.
The second bill, the National Cybersecurity Protection Advancement Act [PDF] (NCPAA) also adds legal cover, shielding companies from lawsuits if they choose to share information. It passed by 355 votes to 63.
Now the two bills will be combined into one document, which has some privacy warriors worried.
"The bills are not cybersecurity 'information sharing' bills, but surveillance bills in disguise," said Mark Jaycox, legislative analyst at the Electronic Frontier Foundation.
"Like other bills we’ve opposed during the last five years, they authorize more private sector spying under new legal immunity provisions and use vague definitions that aren’t carefully limited to protect privacy. The bills further facilitate companies’ sharing even more of our personal information with the NSA."
Nevertheless, the bills have support from both parties, and as they move up to the Senate for approval, it seems likely that they will have no problems in the upper chamber. President Obama is highly unlikely to veto them – his cybersecurity coordinator Michael Daniel spoke strongly in their favor at this week's RSA 2015 security conference.
"We see information sharing as a critical enabler," Daniel said. "It's not an end unto itself, because obviously you have to do something with it otherwise it doesn’t do much good. It's really the fuel for further operations." ®