Lawmakers, business execs defend privacy in CISPA
Critics say the cyberthreat information-sharing bill still has privacy problems
IDG News Service - Privacy and digital rights groups are overstating the privacy concerns in a controversial cyberthreat information bill introduced this week in the U.S. Congress, the bill's sponsors and leaders of some business groups said.
Groups opposed to the Cyber Intelligence Sharing and Protection Act (CISPA), introduced Wednesday, have "unfounded fears" about the privacy implications of the bill, said Representative Mike Rogers, a CISPA sponsor, Michigan Republican and chairman of the House of Representatives Intelligence Committee.
The bill would allow private companies in the U.S. to share cyberthreat information related to national security and cybercrime with each other and with government agencies, and it gives companies that share information in "good faith" immunity from customer lawsuits. CISPA would also allow government agencies to share classified cyberthreat information with businesses.
The bill is needed, Rogers said, because companies fear lawsuits if they share cyberthreat information with each other or the government.
Several privacy and civil liberties groups have objected to the bill, saying it allows privacy companies to share a wide range of personal information with government agencies without adequate oversight. On Thursday, the same day as a House hearing on CISPA, digital rights groups Demand Progress and Fight for the Future said they delivered a petition with 300,000 signatures opposing CISPA to Congress.
"According to the bill, personal information can be shared and obtained as long as the purpose is for 'cybersecurity' purposes, which can include anything like 'safeguarding' networks," Tiffiniy Cheng, co-founder of Fight for the Future, wrote in an email. "You can already choose a list of things that would fit into that [description] that most people would find to be a horrifying reason to obtain their personal info."
But companies would share little, if any, personal information with each other or with government agencies, Paul Smocer, president of the BITS tech policy arm of the Financial Services Roundtable, said during Thursday's hearing. Companies would be sharing information about the type of attacks and the source of attacks, not personal information about customers whose data was compromised, he said.
When cybersecurity vendor Mandiant now shares attack information with its customers, "it's data that is totally anonymous," added Kevin Mandia, CEO of Mandiant.
Smocer called the current privacy provisions in CISPA adequate.
In some cases, however, companies would be sharing the IP addresses of suspected attackers, Smocer said. Witnesses in the hearing didn't talk about the privacy implications of sharing information about suspected attackers.
The Intelligence Committee had no privacy or civil liberties groups testify during the CISPA hearing.
Most members of the committee did not raise privacy concerns, but Representative Adam Schiff, a California Democrat, asked witnesses if they would decline to share cyberthreat information if the bill required them to take reasonable steps to delete personal information. None of the four business witnesses said such a requirement would stop them from sharing information.
- Study: Total Economic Impact of Google Apps Employees can work faster and IT spending can decrease when companies switch to Google Apps, says a commissioned study by Forrester Consulting. Going...
- Protecting Digitalized Assets in Healthcare Healthcare providers face an urgent, internal battle every day: security and compliance versus productivity and service. For most healthcare organizations, the fight is...
- Is a SaaS Deployment Right for You? Find out the answer and as well as the other deployment options.
- Discover How Mail Express Solves 2 of Your Biggest IT Headaches Email. It can be the source of some of IT's biggest headaches. As it eats up storage and bandwidth, it also opens up...
- Increasing the Value of Your Reports and Dashboards Learn how incorporating other analytical capabilities such as predictive modeling and visualization can increase the value of your reports and dashboards by providing...
- Video surveillance for IT: maximum image quality, minimum bandwidth Join us on Thursday, May 8th at 1 p.m. EST when Willem Ryan, Senior Product Marketing Manager at Avigilon, will discuss how IT... All Management White Papers | Webcasts