Senator John Thune held a field hearing of the Senate Commerce, Science, and Transportation Committee at Dakota State University in Madison on Thursday, September 3. (Thune was the only Senator present, but that’s all a Senate committee needs to take testimony and look busy during recess.)
Cybersecurity is a real problem. SDN Communications president Mark Shlanta testified that his company observed 4,500 threats against its customers in one year. To combat that problem, Senator Thune is supporting the Cybersecurity Information Sharing Act of 2015, which would give companies more freedom to share information about attacks with the government… and you less freedom to keep your data private:
Senator John Thune will vote in favor of the Cybersecurity Information Sharing Act when it goes before the Senate this month. Thune says the bill will simply remove the legal and liability companies face now in sharing information about the threats.
…The bill exempts companies like SDN and others from anti-trust laws for sharing threat information with competitors and stops customers from suing if their information is turned over [Angela Kennecke, “Protection vs. Privacy,” KELO-TV, 2015.09.03].
Senator Thune admits there is opposition to the Cybersecurity Information Sharing Act, but he dismisses that opposition as coming from extremists:
“The response doesn’t follow your traditional party lines,” Thune said. “You’ll have an alignment of the people on the far left and the far right.”
Thune said persons on the left are often concerned about personal liberties, while right-wing libertarians have concerns about the size of federal government and how much authority it should hold [Chuck Clement, “Senator Discusses Security Issues,” Madison Daily Leader, 2015.09.04].
The Electronic Frontier Foundation takes issue with giving companies blanket immunity to hand private information to the government:
The bill also retains near-blanket immunity for companies to monitor information systems and to share the information as long as it’s conducted according to the act. Again, “cybersecurity purpose” rears its overly broad head since a wide range of actions conducted for a cybersecurity purpose are allowed by the bill. The high bar immunizes an incredible amount of activity. Existing private rights of action for violations of the Wiretap Act, Stored Communications Act, and potentially the Computer Fraud and Abuse Act would be precluded or at least sharply restricted by the clause. It remains to be seen why such immunity is needed when just a few months ago, the FTC and DOJ noted they would not prosecute companies for sharing such information. It’s also unclear because we continue to see companies freely share information among each other and with the government both publicly via published reports, information sharing and analysis centers, and private communications [Mark Jaycox, “Senate Intelligence Committee Advances Terrible
Cyberscurity BillSurveillance Bill in Secret Session,” Electronic Frontier Foundation, 2015.03.19].
EFF also contends that CISA grants private companies too much authority to launch surveillance and counterattacks against citizens without due process or a warrant.
Senator Al Franken shares EFF’s concerns, citing a letter from Homeland Security stating that CISA could “sweep away important privacy protections.” The bill Senator Thune backs would also complicate cybersecurity by allowing companies to share threat information with any government agency:
The DHS, in its letter, doesn’t merely knock CISA for incomplete — at best — privacy guard rails, but also that the idea of sharing “cyber threat indicators […] among multiple agencies,” instead of through “one entity” will lead to more “complexity” and “inefficiency” for both the public and private sectors. That’s to say that if you fire all the data into every corner, it tends to pile up and bury the stuff you might have needed [Alex Wilhelm, “Department of Homeland Security Highlights Privacy Concerns in Senate Cybersecurity Bill,” TechCrunch, 2015.08.03].
Senator Franken can’t support a bill that reduces privacy and our cybersecurity:
“I think all Americans have a fundamental right to privacy—and it’s especially important in light of advancing technologies that continually threaten to outpace our laws,” said Sen. Franken, who is the top Democratic Senator on the Judiciary Subcommittee on Privacy, Technology, and the Law. “The Department of Homeland Security’s letter makes it overwhelmingly clear that, if the Senate moves forward with this cybersecurity information-sharing bill, we are at risk of sweeping away important privacy protections and civil liberties, and we would actually increase the difficulty and complexity of information sharing, undermining our nation’s cybersecurity objectives” [Senator Al Franken, press release, 2015.08.03].
Senator Thune may keep chanting that anyone opposing him is an extremist. We could page Barry Goldwater, or we could just ask Senator Thune what’s so extreme about (1) expecting government, not private vigilantes, to take care of law enforcement, (2) asking that he take our Fourth Amendment rights against warrantless searches and seizures as seriously as he takes the Second Amendment, and (3) asking for policy that makes cybersecurity better, not worse.