Lawmakers, business execs defend privacy in CISPA
Critics say the cyberthreat information-sharing bill still has privacy problems
IDG News Service - Privacy and digital rights groups are overstating the privacy concerns in a controversial cyberthreat information bill introduced this week in the U.S. Congress, the bill's sponsors and leaders of some business groups said.
Groups opposed to the Cyber Intelligence Sharing and Protection Act (CISPA), introduced Wednesday, have "unfounded fears" about the privacy implications of the bill, said Representative Mike Rogers, a CISPA sponsor, Michigan Republican and chairman of the House of Representatives Intelligence Committee.
The bill would allow private companies in the U.S. to share cyberthreat information related to national security and cybercrime with each other and with government agencies, and it gives companies that share information in "good faith" immunity from customer lawsuits. CISPA would also allow government agencies to share classified cyberthreat information with businesses.
The bill is needed, Rogers said, because companies fear lawsuits if they share cyberthreat information with each other or the government.
Several privacy and civil liberties groups have objected to the bill, saying it allows privacy companies to share a wide range of personal information with government agencies without adequate oversight. On Thursday, the same day as a House hearing on CISPA, digital rights groups Demand Progress and Fight for the Future said they delivered a petition with 300,000 signatures opposing CISPA to Congress.
"According to the bill, personal information can be shared and obtained as long as the purpose is for 'cybersecurity' purposes, which can include anything like 'safeguarding' networks," Tiffiniy Cheng, co-founder of Fight for the Future, wrote in an email. "You can already choose a list of things that would fit into that [description] that most people would find to be a horrifying reason to obtain their personal info."
But companies would share little, if any, personal information with each other or with government agencies, Paul Smocer, president of the BITS tech policy arm of the Financial Services Roundtable, said during Thursday's hearing. Companies would be sharing information about the type of attacks and the source of attacks, not personal information about customers whose data was compromised, he said.
When cybersecurity vendor Mandiant now shares attack information with its customers, "it's data that is totally anonymous," added Kevin Mandia, CEO of Mandiant.
Smocer called the current privacy provisions in CISPA adequate.
In some cases, however, companies would be sharing the IP addresses of suspected attackers, Smocer said. Witnesses in the hearing didn't talk about the privacy implications of sharing information about suspected attackers.
The Intelligence Committee had no privacy or civil liberties groups testify during the CISPA hearing.
Most members of the committee did not raise privacy concerns, but Representative Adam Schiff, a California Democrat, asked witnesses if they would decline to share cyberthreat information if the bill required them to take reasonable steps to delete personal information. None of the four business witnesses said such a requirement would stop them from sharing information.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts