In-brief: Two pieces of legislation moving through Congress could address glaring needs for more legal protections for companies that want to share information on cyber attacks. They would also grease the wheels of the federal government’s omnibus surveillance machine. Read this post in its entirety on Digital Guardian’s blog.
There is movement once again on the issue of cyber security legislation, with two bills moving through Congress: the Protecting Cyber Networks Act, put forward by the House Permanent Select Subcommittee on Intelligence, and the Cyber Information Sharing Act of 2015 (CISA for short) in the Senate.
The motivation for these bills is clear enough. Companies want legal cover. They want to be able to share certain types of information that might be useful to others, but they want to do it without drawing attention or inviting lawsuits.
The federal government would like better data on cyber incidents. Right now, many are not reported from private sector firms. And, given the huge slice of the nation’s critical infrastructure that is in private hands – from Wall Street trading firms to power plants – this represents a huge gap in the government’s understanding of cyber risk facing the country.
The problem? Washington D.C. lawmakers don’t seem to be able to come up with a “clean” bill on cyber security. Instead, time and again otherwise passable bills have gone off the rails: adding provisions that raise the ire of privacy advocates or the business community or both without doing much to actually boost cyber security.
Who do these provisions serve? It’s often hard to tell, but the specter of the U.S. intelligence communities – the NSA and CIA – loom large. In a blog post, noted attorney Jennifer Granick at Stanford’s Center for Internet and Society argues that both the House and Senate bills fail the civil liberties sniff test: boosting the legal protections for government surveillance of citizens without boosting cyber security protections for companies or individuals.